Root Certificate Programs – The root of all trust

A digital certificate[1]‘s purpose of existence is to sign or encrypt other material, either the latter is an online transaction, an email message or software code. Root Certificates, their respective private key actually[1], are used by Certificate Authorities to sign and add certain extensions to other certificates they issue, thus making the latter valid for certain uses. Web browsers, Linux distributions, Microsoft’s or Apple’s operating systems etc ship with a default set of Root Certificates. Taking into account that those Root Certificates are what we actually trust when we come across material that has been signed or encrypted by another certificate, which has been issued (signed) by a Certificate Authority’s Root Certificate, the method in which those Root Certs have made their way into the browser’s or operating system’s main distribution packages becomes very interesting.

Lately, I’ve been wondering about the above and I soon found out about the major web browser manufacturers’ Root Certificate Programs (RCP). In other words, documents that outline the required procedure a company has to follow in order their Root Cert to finally be included into the browser. Here are links for the Mozilla, Microsoft, Apple, Opera programs. The process is not simple and requires a lot of auditing by 3rd parties. That’s good!

But, what is even more interesting is the fact that not all browsers, Linux distributions, et cetera ship with the same default set of Root Certificates. This means that:

  • either some Certificate Authorities have been rejected by some Root Certificate Programs
  • or that some Certificate Authorities simply were not interested in enrolling into certain Root Certificate Programs

Anyhow, different default sets of Root Certificates mean you might get warned about material that has been signed by a digital certificate, which has been issued by a particular Certificate Authority, depending on how you access that same material. This does not make any sense and, generally, does not help much when you have to decide whether to trust the signed material or not.

Judging by the Root Certificate Programs mentioned above none of them asks for money in order to include a Root Certificate into the browser. So, there is no direct profit involved in this situation. Then, why isn’t there one common Root Certificate Program and some kind of independent authority that manages a set of Root Certificates which all browsers, operating systems, mobile phones etc should include by default? At least I would expect all Linux distributions to ship with the same default root certificates or to be able to update that set from the same source…

[1] For the sake of simplicity, the term “certificate” refers to either the private key or the public certificate depending on the action.

Root Certificate Programs – The root of all trust by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2007 - Some Rights Reserved

George Notaras avatar

About George Notaras

George Notaras is the editor of the G-Loaded Journal, a technical blog about Free and Open-Source Software. George, among other things, is an enthusiast self-taught GNU/Linux system administrator. He has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora. He has also developed some open-source software projects in his spare time.