The View from Here

Imagine an investigative journalist, renowned for her work exposing corruption. She is communicating with a confidential informant and on the verge of cracking a high-profile case. She believes her conversations with the informant are secure - until a sophisticated cyberattack shatters that illusion. Attackers appear to have exploited weaknesses in the provisioning of the digital certificate used for encryption. This allows them to intercept her communications. The fallout from the breach is swift and severe. The whistleblower no longer communicates with the reporter. The incriminating evidence disappears. The journalist’s credibility crumbles, and her career now hangs in the balance.

The attack envisioned here is hypothetical, but it draws inspiration from real-world cybersecurity incidents and would be dramatically more common if not for a critical, often-overlooked aspect of internet security: the vital role of effective governance and security review processes in managing the world's default trust on the internet.

Why do you care about digital certificates?

Digital certificates are a behind-the-scenes technology to most people, but they are fundamental to reliability and security on the internet for everyone. These certificates matter because when you…

… visit a website, your browser and the webserver use it to establish an encrypted connection. This provides you with confidentiality to prevent eavesdropping, integrity to ensure the data is not tampered with, and authentication to confirm that you are connected to the legitimate website and not an imposter. 

… receive an email with confidential information, it can protect the message from being read or altered by anyone during transit. The sender can encrypt the email and when you decrypt it, you are assured the integrity and confidentiality of the message was maintained throughout transit.

… download software from the internet, a digital certificate embedded in the code confirms that the software is genuinely from the stated developer and hasn't been tampered with. This helps protect your system from malware.

The systems of trust that allow us to securely interact with websites, services, and software over the internet is referred to as publicly-trusted Public Key Infrastructure (PKI). When you…

… visit a website secured with Hypertext Transfer Protocol Secure (HTTPS), your browser automatically trusts certificates issued by publicly-trusted issuers of these certificates (known as Certification Authorities or “CAs”). 

… receive email signed and encrypted with publicly-trusted certificates, you know the email came from who it says it did and was not intercepted. Similarly, when you email a person or organization with whom you do not have a prior relationship, publicly-trusted certificates allow you to sign and encrypt that message.

… download software signed with a publicly-trusted certificate, your operating system can verify the developer’s identity and the code’s integrity.

Thanks to the publicly-trusted PKIs, all of this can happen with little to no action required of you. This universal, readily available trust that facilitates secure interactions on the internet happens because Root Store Operators (and others) help manage publicly-trusted certificates. 

Wait, who?

Technology organizations, such as Apple, Google, Microsoft, Mozilla, Opera, and Cisco have individuals that operate their respective root programs (i.e., Root Store Operators) by curating and managing lists of those CAs that are deemed worthy of being relied upon by default by the public. 

Each root store supports the ecosystems of their respective platforms, such as operating systems and browsers, collectively ensuring the integrity and security of global online interactions. Mozilla’s root store, for instance, not only secures Firefox but also powers a broad range of Linux distributions. Google, Apple, Microsoft, Cisco, and Opera integrate their root stores into their own products, which include browsers, operating systems, and email clients, to secure trillions of connections and serve billions of users worldwide. 

Together, these Root Store Operators and their root programs create a robust trust framework that benefits users of all major platforms.

Private, enterprise, and public trust decisions. 

Said earlier, when you navigate the internet, your browser automatically trusts websites that have digital certificates issued by certain trusted organizations called CAs. This is default public trust, and it's built into your browser or operating system, meaning the Root Store Operators have made the decision about which CAs to trust on your behalf, so you can safely connect to most websites without worry. 

However, sometimes you might encounter a website or application that uses a certificate from a CA that isn't automatically trusted. In this case, you can make a private trust decision, choosing to manually trust that specific CA or website certificate, although this is generally not recommended unless you have a very good reason and understand the risks. 

Larger companies or organizations often use enterprise trust, which is similar to private trust but on a larger scale. Here, a system administrator decides which CAs their organization's computers will trust, allowing employees to securely access internal resources or specific external partners that might not be part of the default public trust system. This could also mean that the company does not trust certain publicly-trusted CAs, as decided by their administrator. 

Essentially, public trust is like a pre-approved list for everyone, while private trust is like making your own exceptions, and enterprise trust is like a company creating its own customized list for all its employees.

Reliability and security are achieved through accountability.

The collaborative role of Root Store Operators extends beyond our individual ecosystems. Our programs collectively uphold security standards, help prevent anti-competitive behavior, drive innovation, and steer this digital certificate ecosystem toward positive outcomes for users worldwide.

The Common CA Database (CCADB), as a directed fund of The Linux Foundation, is a repository of public information about CAs whose certificates are included within the products and services of some Root Store Operators. CAs are responsible for inputting data into the system, and the CCADB Steering Committee is responsible for maintaining the availability of the CCADB and continually improving the use of information. 

While the CCADB provides a single common entry point for tracking publicly-trusted certificates, each Root Store Operator maintains its own root store, defines its own policies, assesses CAs for compliance, and takes decisive action when those standards are not met. This independence ensures that trust decisions reflect the unique values of each platform while contributing to the collective security of the internet.

These same Root Store Operators actively participate in the CA/Browser Forum to represent the interests of consumers of certificates, where we commonly pursue the implementation of standards that enhance reliability and security and are meant to reflect the minimum threshold for trust inherited by the public. 

While the CA/Browser Forum defines Baseline Requirements (BRs) as the minimum set of security standards for publicly-trusted CAs, Root Store Operators maintain their own policies to establish what's most acceptable for their platforms, often exceeding those minimums to reflect their specific security values and user expectations.

Signs of reliability and security that we look for, and you can, too.

Root Store Operators reach their own conclusions and set their own timelines when adding or removing certificates from their root stores. However, there are several publicly observable characteristics of CAs that can signal strengths of reliability and security. 

• High-quality public incident reporting with evidenced demonstration of continuous improvement. CAs with sustained patterns of certificate mis-issuance or that repeat past mistakes are less reliable and secure. It’s important to understand that the number of incident reports is not as important as how a CA responds. Instead of simply counting incident reports, focus on evaluating the quality of the CA's actions and resolutions.
• Sustained history of compliance, evidenced by the public incident reporting process and public audit reports. Publicly-trusted CAs are required to undergo third-party annual audits and make the results readily available. 
• Accurate certificate policy documents that clearly describe practices in sufficient detail enable the public to assess the CA’s operations against industry requirements (e.g., CA/Browser Forum Baseline Requirements.) Discrepancies between policies and real-world practices can be a significant cause for concern.
• Open and transparent operations, supported by freely available documentation, provide Root Store Operators, security researchers, and members of the public trust community with an ongoing opportunity to evaluate practices and operational characteristics.
• Absence of negative signal during the CA inclusion public discussion process. Root Store Operators collaborate to facilitate a 6-week public discussion for applicant CAs. Signals from the public during the discussion period may highlight concerning behavior that is otherwise unknown to Root Store Operators.
• A commitment to automation that promotes agility, enhances resilience and reliability, and increases efficiency. The use of open automated solutions relying on standards such as the Automatic Certificate Management Environment (ACME) protocol, especially when combined with innovations like ACME Renewal Information (ARI) can improve security posture and resilience in response to unexpected events including CA incidents, Internet security weaknesses, and cryptographic deprecations.

Root Store Operators require transparency, which makes these factors and other aspects of CA trust publicly available, allowing individuals to make better-informed trust decisions for themselves. 

Public trust is a responsibility and a privilege.

Root Store Operators are tasked with maintaining the list of CAs that are automatically trusted by their products and platforms. This is a huge responsibility because our decisions directly impact the security of billions of users worldwide. We have a duty to carefully vet CAs, enforce strict security standards, and constantly monitor the threat landscape to ensure that only truly reliable organizations are granted the power to issue certificates that are trusted by default. We act on behalf of our product users when making these trust decisions. In essence, we are responsible for collective online safety, and the integrity of the entire system depends on our diligence and commitment.

On the other hand, public trust is a privilege for CAs because it's an exclusive status granted to them by the Root Store Operators, not a right. Being included in a root store's list of trusted CAs is incredibly valuable because it means that certificates issued by that CA will be automatically and widely trusted by most devices, operating systems, browsers and mail clients on the planet. However, this privilege comes with a heavy burden of responsibility. CAs must adhere to industry standards and maintain the highest levels of security to ensure they are not compromised. If a CA fails to uphold these standards or is found to be involved in any activity that undermines public trust, they can be removed from the root store, effectively revoking their privilege and rendering their certificates untrusted. It's a privilege that must be continuously earned and maintained through consistent adherence to best practices and a demonstrated commitment to security.

The collective efforts of Root Store Operators extend far beyond their immediate ecosystems, benefiting everyone who relies on publicly-trusted certificates. By working together to innovate, define, and enforce rigorous standards, Root Store Operators ensure a consistent and secure experience for users across all platforms. The CCADB and open-source root stores provide vital infrastructure for products and platforms, by performing the governance function and curating lists of duly-vetted CAs that meet the stringent requirements for public trust as issuers of digital certificates. Further, the collaborative oversight prevents regulatory capture, underinvestment, and anti-competitive behaviors, preserving trust and integrity in the digital certificate infrastructure.

Root Store Operators serve as a backbone for secure online communication. By curating trusted CAs, enforcing high standards, and working collaboratively, we ensure that the internet remains a secure and reliable space for everyone.

This is a multi-part series focused on information security and publicly-trusted PKI.