I have been working on getting the cheswick.com CA to work harder for me, and am dropping it into place. Of course, I added it to my iPad's list of trusted CAs (which will "change my iPad!") So I wondered how long Apple's list of CAs is.

These results are from http://support.apple.com/kb/HT4415:

grep '^Subject Name' HT4415.html | wc -l

174

That is a lot of CAs! I wonder who all these trusted swell folks are...

grep '^[ \t]Organization Name' HT4415.html | sed 's/^.://' | sort -u | wc -l

102

102 unique names. The sorted list:

grep '^[ \t]Organization Name' HT4415.html | sed 's/^.://' | sort | uniq -c | vis

     6  (c) 2005 T\M-C\M^\RKTRUST Bilgi \M-D\M-0leti\M-E\M^_im ve Bili\M-E\M^_im G\M-C\M-<venli\M-D\M^_i Hizmetleri A.\M-E\M^^.
     6    A-Trust
    12    A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH
     6    A-Trust Ges. f\M-C\M-<r Sicherheitssysteme im elektr. Datenverkehr GmbH
    12    AC Camerfirma SA CIF A82743287
     4    ADMINISTRACION NACIONAL DE CORREOS
    12    AOL Time Warner Inc.
     8    ARGE DATEN - Austrian Society for Data Protection
     6    AS Sertifitseerimiskeskus
    32    AddTrust AB
     8    AffirmTrust
    12    America Online Inc.
     6    Apple Computer, Inc.
     6    Apple Inc.
     6    Arge Daten Oesterreichische Gesellschaft fuer Datenschutz
     6    Baltimore
    12    Buypass AS-983163327
     2    CNNIC
     6    COMODO CA Limited
     6    CertiNomis
     6    Certplus
     2    Chunghwa Telecom Co., Ltd.
     6    Cisco Systems
    18    Comodo CA Limited
     6    Deutsche Telekom AG
     8    Dhimyotis
    18    DigiCert Inc
     6    DigiNotar
     6    Digital Signature Trust
    20    Digital Signature Trust Co.
     2    Disig a.s.
     6    EBG Bili\M-E\M^_im Teknolojileri ve Hizmetleri A.\M-E\M^^.
     6    Entrust, Inc.
    34    Entrust.net
     8    Equifax
     8    Equifax Secure
    12    Equifax Secure Inc.
     2    FNMT
     6    GIP-CPS
     6    GTE Corporation
    12    GeoTrust Inc.
     8    GlobalSign
    12    GlobalSign nv-sa
     2    GoDaddy.com, Inc.
     6    Hongkong Post

16 IPS Internet publishing 32 IPS Internet publishing Services s.l.

     4    IPS Seguridad CA
     6    IZENPE S.A.
     6    IZENPE S.A. - CIF A-01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8
     2    IZENPE S.A. - CIF A01337260-RMerc.Vitoria-Gasteiz T1055 F62 S8
     8    JPKI

12 Japanese Government 16 KISA 12 KMD 8 LGPKI 24 NetLock Halozatbiztonsagi Kft.

     6    NetLock Kft.
     6    Network Solutions L.L.C.
    20    QuoVadis Limited
     4    RSA Data Security, Inc.
    12    RSA Security Inc
     6    SECOM Trust Systems CO.,LTD.
     6    SECOM Trust.net
    12    SecureTrust Corporation
     6    Sociedad Cameral de Certificaci\M-C\M-3n Digital - Certic\M-C\M-!mara S.A.

12 Sonera 12 Staat der Nederlanden 12 Starfield Technologies, Inc. 12 StartCom Ltd. 6 SwissSign 18 SwissSign AG

     6    Swisscom
     2    TAIWAN-CA

32 TC TrustCenter GmbH 30 TC TrustCenter for Security in Data Networks GmbH

     6    TDC
     8    TDC Internet

18 Thawte Consulting 12 Thawte Consulting cc 8 The Go Daddy Group, Inc. 30 The USERTRUST Network

     6    T\M-C\M^\RKTRUST Bilgi \M-D\M-0leti\M-E\M^_im ve Bili\M-E\M^_im G\M-C\M-<venli\M-D\M^_i Hizmetleri A.\M-E\M^^. (c) Aral\M-D\M-1k 2007
     2    T\M-C\M^\RKTRUST Bilgi \M-D\M-0leti\M-E\M^_im ve Bili\M-E\M^_im G\M-C\M-<venli\M-D\M^_i Hizmetleri A.\M-E\M^^. (c) Kas\M-D\M-1m 2005
    30    U.S. Government
     6    Unizeto Sp. z o.o.
     6    Unizeto Technologies S.A.
     6    VAS Latvijas Pasts - Vien.reg.Nr.40003052790
     6    VISA
     2    Vaestorekisterikeskus CA

18 ValiCert, Inc. 78 VeriSign, Inc.

     6    WISeKey
     6    Wells Fargo
     2    Wells Fargo WellsSecure
     6    XRamp Security Services Inc
    12    admin
     6    beTRUSTed
    48    ips@mail.ips.es C.I.F.  B-60929452
     6    thawte, Inc.
     2    \M-e\M^E\M-,\M-g\M^Z\M^D\M-e\M^@\M^K\M-d\M-:\M-:\M-h\M-*\M^M\M-h\M-(\M-<\M-c\M^B\M-5\M-c\M^C\M-<\M-c\M^C\M^S\M-c\M^B\M-9
     2    \M-f\M^W\M-%\M-f\M^\\M-,\M-e\M^[\M-=\M-f\M^T\M-?\M-e\M-:\M^\

(txt2html has trouble with the table. I am not going to try to figure it out.)

Okay, I would like to trim this list. The right security move is to start with an empty list, and add the entries that is needed, with the reason for each. Can I? No, it appears not. Many have noticed and complained about this before.

I'd actually like this for all my SSL uses. I guess Safari won't be helpful, but this totally should be a plugin for Firefox. Perhaps some one has done that. If not, it would make a good short project for a student.

I do have DNS logs. I could check all the destination hosts for SSL web services, and gather the CA information. That's a bit hit-or-miss, though.

The browser knows for sure, but in the event they can't be fixed or extended. This would have to be done at a transparent proxy, armed with a trusted CERT. In my local case, I could use my own CA.

Come to think of it, this is simply another application-level gateway, and a fine security solution. I assume that there are transparent proxies that already do this. If not, this is probably patentable: the relevant patent is probably close to expiring. We were doing stuff like this in the mid-1990s.

Again,I wonder if someone has done all this already. The problem has certainly been around long enough, and we have seen attacks based on this problem.

What I would like is a friend-of-bill list: a collection of better CAs, and a blacklist of the worser ones, that I would assemble with a few of my more paranoid friends. And a low-volume mailing list discussing the changes.