IGF 2023 WS #181 Private Production of Trust: Digital Certificate Governance

Wednesday, 11th October, 2023 (06:10 UTC) - Wednesday, 11th October, 2023 (06:40 UTC)
SC – Room H

Global Digital Governance & Cooperation
Harmonising Global Digital Infrastructure

Organizer 1: Karl Grindal, 🔒University of New Hampshire
Organizer 2: Karim Farhat, 🔒The Internet Governance Project
Organizer 3: Mohamed Rafik Dammak, 🔒

Speaker 1: Aaron Gable, Technical Community, Western European and Others Group (WEOG)
Speaker 2: Wilson Clint, Private Sector, Western European and Others Group (WEOG)
Speaker 3: Zacharopoulos Dimitris, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Phokeer Amreesh, Civil Society, African Group
Speaker 5: Srivastava Vagisha, Civil Society, Asia-Pacific Group


Karl Grindal, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Karim Farhat, Civil Society, Western European and Others Group (WEOG)


Mohamed Rafik Dammak, Civil Society, African Group


Panel - 90 Min

Policy Question(s)

A. Given that most member organizations are based in developed countries, what efforts has the Forum taken, or should it take, to be more responsive to the Global South? B. The non-profit organization Let’s Encrypt issues free certificates and dominates the Certificate market. While access to free certificates has had a significant positive impact on Internet security, what are the risks of an overly concentrated Certificate market? C. What impact will the March 2023 amended language by the European Parliament to the European Digital Identity regulations (No 910/2014) have on browser oversight of certificates?

What will participants gain from attending this session? Participants and attendees of our session will gain valuable knowledge, insights, and understanding regarding the transnational, cooperative, private-sector led governance within the CA/Browser Forum and its impact on web security. They will learn about the industry-driven standards development efforts for PKI. Participants will leave with an understanding of the Certificate ecosystem and the role of Certificate Authorities and Browsers. They will also learn about the Forum's initiatives and their significance in enhancing web security and ensuring online trust. Furthermore, participants will be informed about external trends affecting the Forum's operations, such as CA market share, interoperability across Browser root stores, security incidents, and competing governance venues. This will help them engage better with this community and lead collaborative efforts driving the enhancement of web security.


This panel will explore the role of Certificate Authorities (CAs) and Browsers in the development, operation and regulation of the Internet’s Public Key Infrastructure (PKI). PKI is a fundamental component of the global internet infrastructure that allows for secure and trusted communication, protects data integrity, and facilitates secure transactions and authentication online. Over the past decade, inter-firm cooperation between CAs and the companies that develop Browsers have advanced effective security and transparency reforms across a growing number of PKI functions. The venue for these deliberations has been the Certificate Authority (CA) / Browser Forum, an unincorporated and volunteer led standards development organization. This moderated panel brings together CA/Browser leadership, global members, academics, and civil society to discuss the past decade of rapid reforms and the future of the certificate ecosystem. We will delve deeper into the crucial but underexplored realm of transnational, cooperative, private-sector led governance within the CA/Browser Forum and its role in shaping the web's Public Key Infrastructure (PKI). With a focus on the subtheme of Global Digital Governance & Cooperation [and Harmonizing Global Digital Infrastructure], the talk will shed light on how this industry-driven forum overcomes collective action problems to promote security reforms and protect websites. We will also discuss issues of global inclusion and accessibility, the impact of distribution of free certificates and its effect on market concentration. We would also explore the possible ramifications of EU’s electronic identification, authentication, and trust services or eIDAS on CAs and browser root stores. Our aim through this panel is to provide a deeper understanding of the dynamics shaping self-governance in the web PKI industry, its implications for global digital governance, and the collaborative efforts to enhance web security.

Expected Outcomes

The research leading up to the proposed panel is supported with a grant from the Internet Society Foundation. Associated research has entailed qualitative interviews with CA/B Forum principles and quantitative analysis of forum participation, interoperability and market trends. We see this work as culminating in the IGF panel which provides a unique opportunity to bring global participants together, validate our findings with the panelists, and share research with impactful stakeholders and policy makers. Preliminary findings have already been presented at the Internet Governance Project’s Annual Conference, and at GIG-ARTS 2023. Additional presentations of this research program are planned ahead of IGF at venues including the Telecom Policy Research Council (TPRC); and Giga-Net’s IGF Zero Day Workshop. With respect to publications, a public facing white paper will be made available to IGF attendees. All of this work will feed into 2-3 academic articles for peer reviewed publications.

Hybrid Format: We intend to fully integrate the in-person and online panelists and audience. To set up the panel for high engagement, brief words of guidance for participation will be given at the start of the talk so that both the in-person and online audience know what to expect. Additionally, research and analysis developed by the University of New Hampshire and Georgia Tech will be shared as both physical handouts and virtually with links to online documents. The in-person and online moderators will maintain a shared document so that virtual questions can be easily tracked and called upon in the order they were asked. Assuming technical feasibility, online participants will have the option of their comment or question being relayed by the moderator or stated in their own words. The online moderator will also be called on to summarize virtual conversations for the in-person audience when helpful.