Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes. All CAs trusted by browsers have to go through WebTRUST or ETSI audits by accredited auditors.

See https://www.mozilla.org/en-US/about/governance/policies/secu... and https://www.ccadb.org/auditors and https://www.ccadb.org/policy#51-audit-statement-content



As I understand them, these are accounting audits, similar (if perhaps more detail) to a SOC2. The real thing keeping CAs from being gravely insecure is the CA death penalty Google will inflict if a CA suffers a security breach that results in any kind of misissuance.


It's not just Google, but also Mozilla, Apple, and Microsoft. They all work together on shutting down bad behavior.

Apple and Microsoft mainly have power because they control Safari and Edge. Firefox is of course dying, but they still wield significant power because their trusted CA list is copied by all the major Linux distributions that run on servers.


Sure. I think Google and Mozilla have been the prime movers to date, but everyone has upped their game since Verisign/Symantec.


that's good news about the CA's , but how about the publisher certificates that are in use?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: