When you log on to a “secure” web site – one that that you access via HTTPS:// instead of HTTP:// , you do that because the web site bought a certificate from a certificate authority. Those certificates work because the browsers – all of them – “trust” the makers of those certificates.
How do those certificate authorities become trusted? The certificate authorities apply to each of the browser makers and those browser makers each decide who to trust.
If a browser or more than one browser decides to not trust a certificate authority, then any time a user goes to a web site that uses that vendor’s certificate they will get an error message saying the certificate is not trusted. Every single time.
What that means is that if any of the major browser vendors don’t trust you, then you cannot sell your certificates.
If you look at any browser or computer, if you know where to look, you can find a list of all of the certificate authorities that the browser or computer trusts. That used to be a handful of companies, but over time that has mushroomed to a ridiculous number, like 150 or more. For some reason the browser makes have made it incredibly hard for Joe or Jane user to see what certificates are installed or to delete one of them.
There is a group called the CA/Browser Forum and they set standards for certificate authorities to follow. The process of disciplining a CA can take years, but recently the CAB Forum started getting tough.
Two Chinese certificate authorities were not following the rules so the CAB Forum scolded them. Then they didn’t change their actions. So finally, one by one, the browsers started the process of the death sentence. This week, the last major browser maker said that come September they are no longer going to trust certificates made by WoSign and StartCom.
Of course smart people would be asking why the <bleep> we were trusting security certificates from China in the first place.
My answer? Beats me. I guess they want to be inclusive.
I would appreciate it if they allowed me to make that decision. But they figure that I am not smart enough to decide whether I want to trust certificates from China.
For a certificate authority, losing the trust of the browser makers is basically a death sentence – which is why they keep giving certificate authorities that screw up another chance. Personally, I vote for ONE strike and you are out.
On a related front, one of the biggest U.S. certificate authorities, Symantec (formerly Verisign) just sold it’s certificate business to Digicert.
Symantec/Verisign has been in CAB Forum “time out” for a year or two now because of oopsies that they have made, like issuing certificates for Google.Com to someone other than Google and stuff like that. Symantec has been given several chances to clean up their act but does not appear to be getting it right. Fearing that they were going to go down the same path that WoSign went down and pour a billion plus dollar investment down the sewer, this week they sold that business for $950 million plus some stock, to Digicert. This is good for users because Digicert is well respected, unlike Symantec.
So, while certificate authorities have, historically, received the death penalty like never, it appears that the browser makers have had their fill of it and ARE NOT GOING TO TAKE IT ANY MORE!!!
I hope this is the beginning of a trend. I could do with maybe a dozen trusted certificate authorities. That would be enough for me. 3 down, one hundred plus to go.