A Certificate Authority (CA) is an entity that is trusted to sign a digital certificate. At SSL Dragon we always recommend buying an SSL Certificate from a reputable CA because it adheres to the highest encryption standards and security protocols. But if they are responsible for verification, approval, and revocation of SSL Certificates, who regulates Certificate Authorities? To answer this question accurately, we need to have a closer look at all parties involved in this complex process.
Browsers and Applications
Browsers and applications play a decisive role in defining the rules that govern Certificate Authorities. All browsers contain information about trusted CAs in their installation pack. Technically, this is called a “root store”. Browsers will accept SSL Certificates issued by public CAs only if CAs roots are already marked as “trusted” in the browsers’ root store.
Not all browsers keep their own trusted root store. They can also rely on the root store of the client’s operating system and decide whether to trust it or not. If a CA’s root issues an SSL Certificate and includes it neither in the browser’s root store nor in the operating system’s root store, the client’s copy of the browser will send a warning message notifying users to not trust the site’s security certificate.
But how do browsers determine which CA roots to trust? Well, they’ve always had predetermined rules on how CAs should function to start with. On top of that, they have been continuously honing them to establish high-end security standards. Over time they’ve successfully eliminated weaker algorithms such as MD5 and SHA-1. They also removed outdated key sizes such as 512-bit and 1024-bit. If CAs don’t meet the whole list of browser requirements, they are removed from the browsers’ trusted root store.
Browsers and Certificate Authorities
Browsers have an important say in how CAs should operate. However, a Browser is not the only entity that regulates Certificate Authorities. CAs themselves, with the browsers’ approval, adopted several essential guidelines that changed completely the SSL landscape.
In a bid to improve SSL security, CAs and browsers have joined forces and established the CA/Browser Forum. The forum currently consists of 52 CA members and 6 browser members. It meets in bi-weekly telephone calls and face-to-face conventions 3 times a year. CAB Forum’s landmark achievement is the creation of Extended Validation (EV) guidelines that gave birth to highly successful Extended Validation SSL Certificates.
WebTrust/ETSI audit regimes
After the members of the CAB Forum approve each set of guidelines and updates, they submit them to either the Canadian Institute of Chartered Accountants/American Institute of CPAs (Certified Public Accountant) or the European Telecommunications Standards Institute (ETSI). The new rules then become the new WebTrust audit guidelines or ETSI standards. Finally, the browsers can add them to their trusted root store requirements, and the CAs must adhere to them.
In conclusion, both Browsers and CAs have a massive impact on who regulates Certificate Authorities. Their continuous combined effort in improving SSL industry standards has made SSL encryption almost unbreakable.