Root Certificate Programs

G-Loaded wrote about how certificate authorities get their root certificates embedded in web browsers so that they are automatically trusted:

A digital certificate’s purpose of existence is to sign or encrypt other material, either the latter is an online transaction, an email message or software code. Root Certificates are digital certificates used by Certificate Authorities to sign and add certain extensions to other certificates they issue, thus making the latter valid for certain uses. Web browsers, Linux distributions, Microsoft’s or Apple’s operating systems etc ship with a default set of Root Certificates. Taking into account that those Root Certificates are what we actually trust when we come across material that has been signed or encrypted by another certificate, which has been issued (signed) by a Certificate Authority’s Root Certificate, the method in which those Root Certs have made their way into the browser’s or operating system’s main distribution packages becomes very interesting.

Lately, I’ve been wondering about the above and I soon found out about the major web browser manufacturers’ Root Certificate Programs (RCP). In other words, documents that outline the required procedure a company has to follow in order their Root Cert to finally be included into the browser. Here are links for the Mozilla, Microsoft, Apple, Opera programs. The process is not simple and requires a lot of auditing by 3rd parties. That’s good!

Root Certificate Programs - The root of all trust - [G-Loaded]

Originally posted on Sun Nov 25, 2007