CA Due Diligence

As per Randy Bush's request, here is a first draft of a set of criteria for risk evaluation of Certificate Authorities (CAs).

Important entities depend on it

If entities such as multi-billion e-business sites rely on a given CA, this provides some assurance that the CA is trustworthy. First, it can be assumed that these entities have performed suitable care when selecting the CA. Second, disabling such a CA will be difficult because of the expected amount of damage. Third, if such a CA does get disabled, it is easier for smaller sites to argue something like "force majeure".


A CA with a clear organizational setup in a location with a robust legal system will inspire higher confidence.

2015/11/07 21:09:26
Simon Leinen <>