| Root CA status is conferred by the individual user-agent developers (for example, Mozilla, Microsoft, Google, Apple, among others). Some browser or OS developers may try to follow others' lead to avoid duplicating effort or creating big divergences in trusted status of a given cert. Each entity that maintains its own root CA list has its own policy and process that people can apply through in order to propose to become a root CA. For example: https://technet.microsoft.com/en-us/library/cc751157.aspx https://wiki.mozilla.org/CA These programs have certain criteria, which became more formal and rigorous over time (it used to be quite informal when the CA system was first set up). One commonality is generally to get a WebTrust CA audit, and there are also rules and meta-rules for CAs from the CA/Browser Forum. https://cabforum.org/ This will require creating and publishing a certification policy and certification practice statement that have certain elements, and the auditors will look at those. There are also physical security issues. For example, CAs use hardware security modules (HSMs) to perform their signing. https://en.wikipedia.org/wiki/Hardware_security_module The HSM will sign requested data, but won't export its private keys into a less-controlled environment like the CA's web server. It's akin to storing your crypto keys on a smartcard, only more expensive. :-) |