Bugzilla

When selecting a CA partner, an Enterprise that would experience substantial disruption from a revocation would perhaps do well to investigate how well the CA in question has adhered to the policies that the CA has agreed to in order to be a CA, and how promptly and thoroughly they respond when they are discovered to be in breach of those commitments. Not only would that help understand the risk posed by revocation due to CA misbehaviour, but I think it would also give insight into the general operational health of the CA in question. That in turn reads on their ability to perform all the responsibilities of a CA—many of which could have very substantial security consequences for an Enterprise. Many Enterprises require and review audit reports from their vendors, and CAs are fortunately required to be very public about their record and commitments, so a 3rd-party auditor isn't even necessarily required for that dimension.

Enterprises who rely on issuer continuity protections would be *especially* well served to consider this, because misissuance by their selected CA becomes a much more material concern than does misissuance by an unrelated CA.

When selecting a CA partner, an Enterprise that would experience substantial disruption from a revocation would perhaps do well to investigate how well the CA in question has adhered to the policies that the CA has agreed to in order to be a CA, and how promptly and thoroughly they respond when they are discovered to be in breach of those commitments. Not only would that help understand the risk posed by revocation due to CA misbehaviour, but I think it would also give insight into the general operational health of the CA in question. That in turn reads on their ability to perform all the responsibilities of a CA—many of which could have very substantial security consequences for an Enterprise. Many Enterprises require and review audit reports from their vendors, and CAs are fortunately required to be very public about their record and commitments, so a 3rd-party auditor isn't even necessarily required for that dimension.

Enterprises who rely on issuer continuity protections would be *especially* well served to consider this, because misissuance by their selected CA becomes a much more material concern than does misissuance by an unrelated CA.

E: Absent such an investigation, though, the mere fact that a CA has a root present in a major root program *should* be sufficient assurance that the CA abides by the policies of those root programs consistently, which include not only adherence to the agreed-upon rules, but also a commitment to systematically address cases in which those rules are broken. If that is not a consistent property of the roots in those programs, then relying parties will increasingly need to make their own decisions about root trust in order to determine if a root actually complies, or simply promises to comply or gives excuses for why they can't comply. The vast majority of relying parties are not equipped to make that decision effectively, which is why the root program—and the integrity it derives from the consistent behaviour of the CAs in it—are so important to web security.