Free SSL Security Guides
Everything you need to know about securing your Online Business
What is a Certification Authority (CA)?
Not just anybody can issue trusted SSL Certificates. If they could then there would be no trust in SSL - and it could no longer be used commercially. Instead only Certification Authorities, or CAs as they are commonly known, can issue trusted SSL Certificates.
CAs have generally invested in establishing the technology, support, legal and commercial infrastructures associated with providing SSL certificates. Even though CAs are essentially self-regulated, the nearest to a regulatory body is the WebTrust compliancy program operated by AICPA/CICA. The majority of CAs comply to the WebTrust principles, however some CAs do not have WebTrust compliance. Those CAs who are WebTrust compliant display the WebTrust Seal, as seen below.
The WebTrust Seal of assurance for Certification Authorities symbolizes to potential relying parties [e.g. to the end customer] that a qualified practitioner has evaluated the CA's business practices and controls to determine whether they are in conformity with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria. An unqualified opinion from the practitioner indicates that such principles are being followed in conformity with the WebTrust for Certification Authorities Criteria. These principles and criteria reflect fundamental standards for the establishment and on-going operation of a Certification Authority organization or function.
Who are the CAs and why are there so many providers of SSL?
There are actually less than 10 CAs issuing commercially available SSL certificates. The Appendix contains the full list of CAs. Until recently the SSL market has been monopolized by Verisign and Thawte. In 1999 Verisign acquired Thawte, and it became a Verisign subsidiary. In recent years, new global players providing enterprise class solutions such as GeoTrust (formerly Equifax Certificate Services) have also established themselves in the enterprise security market. In the last few months, other companies providing solutions for small to medium sized businesses have also started providing SSL certificates.
There is however confusion in the market because all CAs have reseller programs. Resellers are organizations that will resell the SSL CA's certificates, often at different prices to the SSL CA themselves. Resellers are a great way to sometimes save money through discounted pricing, but are also an easy way to be overcharged for SSL!
Be aware that some resellers will "re-brand" the CA's certificate, thereby masking who actually issues the certificate and then offer their own re-branded certificates at inflated prices above the SRP of the CA themselves.
Don't be fooled by unknown brands - if an SSL Certificate is being sold under a brand that is not contained in the attached Appendix, the buyer should examine one of the reseller's example certificates before purchase. It is very likely that the certificate has been issued by a CA featured in this white paper and will probably be available directly from the CA at a different cost, maybe even lower than the reseller offers it.
Resellers provide exactly the same certificate and features provided by the CA themselves, so it is essential for buyers to know which CA that will issue the SSL certificate before purchasing through a reseller!
Who are the top 2 CAs?
Each month Netcraft (www.netcraft.com) publishes the market share of each CA.
The following chart summarizes the market share of the top 2 enterprise players in the .net market, namely Verisign and GeoTrust. The chart also shows the market share of Thawte (Thawte is a Verisign company).
