In following the SSL industry, there are always comments about certification authorities (CAs) and their practices. In many cases, the Certificate Authority Security Council (CASC) considers these comments to be myths.

As such, the CASC has collected these myths and provided responses, which some editors have published. Please read and you will find responses to the following myths:

  • CAs are not regulated
  • CAs do not provide value
  • All types of certificates issued by CAs are the same
  • CAs are insular, unresponsive and unwilling to accept changes needed in the SSL protocol
  • SSL is broken beyond repair and we must find a new replacement system for authenticating identities online
  • SSL is an outdated system with too many vulnerabilities to work long-term
  • There are more than 600 CAs, too many to handle, and SSL is a commodity business
  • Certificate revocation is either unnecessary or broken; its benefits do not outweigh the potential browser performance issues that it causes
  • CAs have no incentive to innovate and make needed changes
Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.