Relevant Items

Myths about CAs and SSL | BLOG

In following the SSL industry, there are always comments about certification authorities (CAs) and their practices. In many cases, the Certificate Authority Security Council (CASC) considers these comments to be myths. As such, the CASC has collected these myths and provided responses, which some editors have published. Please read and you will find responses to the following myths:

  • CAs are not regulated
  • CAs do not provide value
  • All types of certificates issued by CAs are the same
  • CAs are insular, unresponsive and unwilling to accept changes needed in the SSL protocol
  • SSL is broken beyond repair and we must find a new replacement system for authenticating identities online
  • SSL is an outdated system with too many vulnerabilities to work long-term
  • There are more than 600 CAs, too many to handle, and SSL is a commodity business
  • Certificate revocation is either unnecessary or broken; its benefits do not outweigh the potential browser performance issues that it causes
  • CAs have no incentive to innovate and make needed changes