- Trust comes from credible, established and stable CAs
Is the CA established and does it own its own trusted root?
Business stability is an essential component when selecting any supplier. Whilst SSLreview does not examine financial stability of each CA in detail (enterprise class accounts are advised to conduct their own due diligence into each CA), it does examine the root CA certificate ownership.
You can examine trusted root ownership by double clicking the padlock in your browser when you have an SSL connection with a webserver. When the SSL Certificate appears, simply click the "Certification Path" tab to see which trusted root CA certificate issued the SSL certificate.
Verisign owns its own root.
GeoTrust owns the Equifax root (Equifax Digital
Certificate services became GeoTrust in 2001)
Thawte owns its own root. Thawte is owned by Verisign.
Cybertrust owns the GTE CyberTrust root (Cybertrust
bought GTE CyberTrust in 2003)
Entrust owns its own root.
GlobalSign owns its own root.
IPSCA owns its own root.
What to consider…
When selecting a CA, always consider the long term stability of the CA, especially if you require longer term enterprise solutions.
If the CA relies on an intermediate certificate - consider the long-term stability of the CA supplying the intermediate, and obviously the stability of the supplier relationship between the two CAs.
Credibility & WebTrust Compliance
The key issue for long term stability of a CA is whether they have achieved WebTrust compliance. As well as assuring the relying party (e.g. your customers) that your SSL certificate has been issued by a CA that has been regulated and is audited by AICPA/CICA, you are also assured that the CA is both financially and technologically sound and has standards in place to ensure its ongoing operation.
Microsoft have stated that by 2004 all non-WebTrust compliant CAs will have their trusted root CA certificates removed from Internet Explorer. If your SSL certificate has been issued by a non-WebTrust compliant CA, and the CA's trusted root is revoked, your SSL certificate will also be revoked.
Clearly you should consider this fundamental future proof issue when selecting your SSL provider.
What does it mean to be WebTrust compliant?
"The WebTrust Seal of assurance for Certification Authorities symbolizes to potential relying parties [e.g. your customers] that a qualified practitioner has evaluated the CA's business practices and controls to determine whether they are in conformity with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria. An unqualified opinion from the practitioner indicates that such principles are being followed in conformity with the WebTrust for Certification Authorities Criteria. These principles and criteria reflect fundamental standards for the establishment and on-going operation of a Certification Authority organization or function."