In following the SSL industry, there are always comments about certification authorities (CAs) and their practices. In many cases, the Certificate Authority Security Council (CASC) considers these comments to be myths.

As such, the CASC has collected these myths and provided responses, which some editors have published. Please read and you will find responses to the following myths:

  • CAs are not regulated
  • CAs do not provide value
  • All types of certificates issued by CAs are the same
  • CAs are insular, unresponsive and unwilling to accept changes needed in the SSL protocol
  • SSL is broken beyond repair and we must find a new replacement system for authenticating identities online
  • SSL is an outdated system with too many vulnerabilities to work long-term
  • There are more than 600 CAs, too many to handle, and SSL is a commodity business
  • Certificate revocation is either unnecessary or broken; its benefits do not outweigh the potential browser performance issues that it causes
  • CAs have no incentive to innovate and make needed changes
Bruce Morton

Bruce Morton

Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust Datacard, where he has been employed since 1999. His day-to-day responsibilities include managing standards implementations, overseeing Entrust Datacard’s policy authority, and monitoring Entrust Certificate Service for industry compliance.