{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T07:41:43Z","timestamp":1764229303112,"version":"3.46.0"},"reference-count":63,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,8,7]],"date-time":"2025-08-07T00:00:00Z","timestamp":1754524800000},"content-version":"vor","delay-in-days":218,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/100010513","name":"Internet Society","doi-asserted-by":"publisher","award":["G-202201-05564"],"award-info":[{"award-number":["G-202201-05564"]}],"id":[{"id":"10.13039\/100010513","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>This paper provides a detailed analysis of how private actors cooperate to facilitate authentication and provide trust and security to the Web. The World Wide Web\u2019s Public Key Infrastructure (WebPKI) is a global governance structure forged through collective action among industry actors. Drawing on collective action theory and institutional analysis, we show how this regime of non-state actors produces a public good\u2014global authentication of website identities\u2014in a way that enhances security, privacy, and trust for websites and their users. Stakeholder analysis demonstrates how the production of digital certificates and the utilization of certificates for authentication and encryption necessitate interdependencies among Certificate Authorities (CAs) and Browsers\/Operating Systems. These relationships are institutionalized by the Certificate Authority\/Browser (CA\/B) Forum and other voluntary industry organizations. Since their founding, these institutions have developed through stages of formalization, specialization, and expansion of their scope, and have sought to address various security and efficiency challenges through new standards. We conclude by exploring some measures for evaluating the efficacy of this governance regime. Quantitative findings include assessments of CA market concentration, institutional membership and participation trends, stakeholder voting behavior, and the composition of Browser root stores.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf018","type":"journal-article","created":{"date-parts":[[2025,7,23]],"date-time":"2025-07-23T11:53:13Z","timestamp":1753271593000},"source":"Crossref","is-referenced-by-count":0,"title":["Non-governmental governance of trust on the internet: WebPKI as public good"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1749-9157","authenticated-orcid":false,"given":"Karl","family":"Grindal","sequence":"first","affiliation":[{"name":"University of New Hampshire Department of Security Studies, , 88 Commercial Street, Manchester, New Hampshire 03103 ,","place":["United States"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9114-8259","authenticated-orcid":false,"given":"Milton","family":"Mueller","sequence":"additional","affiliation":[{"name":"School of Public Policy, Georgia Institute of Technology , 685 Cherry Street NW, Atlanta, Georgia 30332 ,","place":["United States"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-9358-3616","authenticated-orcid":false,"given":"Vagisha","family":"Srivastava","sequence":"additional","affiliation":[{"name":"School of Public Policy, Georgia Institute of Technology , 685 Cherry Street NW, Atlanta, Georgia 30332 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,8,7]]},"reference":[{"key":"2025112702400164500_bib1","doi-asserted-by":"crossref","first-page":"449","DOI":"10.1109\/UEMCON.2017.8249081","article-title":"Security issues with certificate authorities","volume-title":"2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON)","author":"Berkowsky","year":"2017"},{"article-title":"Exploring the evolution of the TLS certificate ecosystem","year":"2022","author":"Farhan","key":"2025112702400164500_bib2"},{"key":"2025112702400164500_bib3","first-page":"179","article-title":"Tracing your roots: 21st ACM Internet Measurement Conference, IMC 2021","volume-title":"Proceedings of the 2021 ACM Internet Measurement Conference","author":"Ma","year":"2021"},{"key":"2025112702400164500_bib4","first-page":"4383","article-title":"What\u2019s in a name? Exploring CA certificate control: 30th USENIX Security Symposium, USENIX Security 2021","volume-title":"Proceedings of the 30th USENIX Security Symposium","author":"Ma","year":"2021"},{"key":"2025112702400164500_bib5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/PKIA56009.2022.9952249","article-title":"Evolving role of PKI in facilitating trust","volume-title":"2022 IEEE International Conference on Public Key Infrastructure and Its Applications (PKIA)","author":"Patil","year":"2022"},{"volume-title":"The Dirty Laundry of the Web PKI","year":"2023","author":"Stark","key":"2025112702400164500_bib6"},{"key":"2025112702400164500_bib7","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1109\/SP.2019.00027","article-title":"Does certificate transparency break the Web? Measuring adoption and error rate","volume-title":"2019 IEEE Symposium on Security and Privacy (SP)","author":"Stark","year":"2019"},{"key":"2025112702400164500_bib8","doi-asserted-by":"crossref","first-page":"387","DOI":"10.2307\/1925895","article-title":"The pure theory of public expenditure","volume":"36","author":"Samuelson","year":"1954","journal-title":"Rev Econ Stat"},{"key":"2025112702400164500_bib9","doi-asserted-by":"crossref","first-page":"279","DOI":"10.1080\/09672560903320084","article-title":"\u2018Public goods\u2019 before Samuelson: interwar Finanzwissenschaft and Musgrave\u2019s synthesis","volume":"17","author":"Sturn","year":"2010","journal-title":"Eur J Hist Econ Thou"},{"key":"2025112702400164500_bib10","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1215\/00182702-3777158","article-title":"Musgrave, samuelson, and the crystallization of the standard rationale for public goods","volume":"49","author":"Desmarais-Tremblay","year":"2017","journal-title":"Hist Polit Econ"},{"key":"2025112702400164500_bib11","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1111\/j.1475-4932.1979.tb02209.x","article-title":"The free-rider problem: A surve","volume":"55","author":"McMillan","year":"1979","journal-title":"Econ Rec"},{"key":"2025112702400164500_bib12","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1086\/466796","article-title":"The lighthouse in economics","volume":"17","author":"Coase","year":"1974","journal-title":"J Law Econ"},{"key":"2025112702400164500_bib13","doi-asserted-by":"crossref","first-page":"395","DOI":"10.3828\/tpr.79.4.4","article-title":"The political economy of coase\u2019s lighthouse in history (Part I): A review of the theories and models of the provision of a public good","volume":"79","author":"Lai","year":"2008","journal-title":"Town Plann Rev"},{"volume-title":"The Logic of Collective Action: Public Goods and the Theory of Groups, Second Printing with a New Preface and Appendix","year":"1971","author":"Olson","key":"2025112702400164500_bib14"},{"key":"2025112702400164500_bib15","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1111\/j.1467-6435.1983.tb02705.x","article-title":"Standards as public, collective and private goods","volume":"36","author":"Kindleberger","year":"1983","journal-title":"Kyklos"},{"key":"2025112702400164500_bib16","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1177\/109114218901700102","article-title":"Technical standards as public goods: demand incentives for cooperative behavior","volume":"17","author":"Berg","year":"1989","journal-title":"Public Finance Quarterly"},{"key":"2025112702400164500_bib17","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9781316423936","volume-title":"Governing the Commons: The Evolution of Institutions for Collective Action","author":"Ostrom","year":"2015","edition":"1st ed."},{"key":"2025112702400164500_bib18","doi-asserted-by":"crossref","first-page":"641","DOI":"10.1257\/aer.100.3.641","article-title":"Beyond markets and states: polycentric governance of complex economic systems","volume":"100","author":"Ostrom","year":"2010","journal-title":"Am Econ Rev"},{"key":"2025112702400164500_bib19","doi-asserted-by":"crossref","first-page":"173","DOI":"10.1016\/j.jebo.2004.06.015","article-title":"Self-governance, polycentrism, and federalism: recurring themes in Vincent Ostrom\u2019s scholarly oeuvre","volume":"57","author":"Wagner","year":"2005","journal-title":"J Econ Behav Organ"},{"volume-title":"Elinor Ostrom and the Bloomington School: Building a New Approach to Policy and the Social Sciences","year":"2021","author":"Lemke","key":"2025112702400164500_bib20"},{"key":"2025112702400164500_bib21","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511808678","volume-title":"Institutions, Institutional Change and Economic Performance","author":"North","year":"1990"},{"key":"2025112702400164500_bib22","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511528170","volume-title":"Institutions and Social Conflict","author":"Knight","year":"1992","edition":"1st ed."},{"key":"2025112702400164500_bib23","doi-asserted-by":"crossref","first-page":"281","DOI":"10.1002\/j.2325-8012.2008.tb00905.x","article-title":"The persistence and change of institutions in the Americas","volume":"75","author":"Acemoglu","year":"2008","journal-title":"South Econ J"},{"key":"2025112702400164500_bib24","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1086\/467202","article-title":"The rationality of U. S. regulation of the broadcast spectrum","volume":"33","author":"Hazlett","year":"1990","journal-title":"J Law Econ"},{"key":"2025112702400164500_bib25","first-page":"1","article-title":"The Effect of Competition Intensity on Software Security\u2014An Empirical Analysis of Security Patch Release on the Web Browser Market","author":"Jo","year":"2017"},{"key":"2025112702400164500_bib26","doi-asserted-by":"crossref","first-page":"5:1","DOI":"10.1145\/2975591","article-title":"Detection of rogue certificates from trusted certificate authorities using deep neural networks","volume":"19","author":"Dong","year":"2016","journal-title":"ACM Trans Priv Secur"},{"key":"2025112702400164500_bib27","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1145\/2660574","article-title":"Security collapse in the HTTPS market","volume":"57","author":"Arnbak","year":"2014","journal-title":"Com ACM"},{"article-title":"The economics of cryptographic trust: understanding certificate authorities","year":"2016","author":"Specter","key":"2025112702400164500_bib28"},{"year":"2022","key":"2025112702400164500_bib29","article-title":"Certificate authority market size & share analysis\u2014growth trends & forecasts. Mordor Intelligence"},{"year":"2022","key":"2025112702400164500_bib30","article-title":"Certificate authority market share, size, trends, industry analysis report, 2022-2030. Polaris Market Research & Consulting, Inc"},{"key":"2025112702400164500_bib31","article-title":"Members list at CAB Forum. 2023"},{"key":"2025112702400164500_bib32","doi-asserted-by":"crossref","first-page":"250","DOI":"10.1007\/978-3-642-27576-0_20","article-title":"Certified lies: Detecting and defeating government interception attacks against ssl (Short Paper)","volume-title":"Financial Cryptography and Data Security","author":"Soghoian","year":"2012"},{"key":"2025112702400164500_bib33","doi-asserted-by":"crossref","first-page":"125","DOI":"10.1145\/3419394.3423665","article-title":"Investigating large scale HTTPS interception in kazakhstan","volume-title":"Proceedings of the ACM Internet Measurement Conference","author":"Raman","year":"2020"},{"year":"2021","key":"2025112702400164500_bib34","article-title":"tls-observatory command - github.com\/PinkNoize\/tls-observatory\u2014Go Packages"},{"key":"2025112702400164500_bib35","first-page":"3","article-title":"The \u201ccertificate authority\u201d trust model for SSL: A defective foundation for encrypted web traffic and a legal quagmire","volume":"22","author":"Roosa","year":"2010","journal-title":"Intellect Prop Technol Law J"},{"key":"2025112702400164500_bib36","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1007\/978-1-4614-1981-5_5","article-title":"The inconvenient truth about web certificates","volume-title":"Economics of Information Security and Privacy III","author":"Vratonjic","year":"2013"},{"article-title":"An observatory for the SSLivserse","year":"2010","author":"Eckersley","key":"2025112702400164500_bib37"},{"year":"2010","key":"2025112702400164500_bib38","article-title":"Statement of the CA\/Browser Forum concerning the EFF\u2019s SSL observatory"},{"year":"2011","key":"2025112702400164500_bib39","article-title":"Public comment release of \u201cBaseline requirements for the issuance and management of publicly-trusted certificates\u201d"},{"volume-title":"Interim Report: DigiNotar Certificate Authority Breach \u201cOperation Black Tulip\u201d","year":"2011","author":"Prins","key":"2025112702400164500_bib40"},{"year":"2012","key":"2025112702400164500_bib41","article-title":"Bylaws of the CA\/Browser Forum, adopted, effective as of 23 November 2012"},{"key":"2025112702400164500_bib42","article-title":"FAQ for baseline requirements. CA\/Browser Forum"},{"key":"2025112702400164500_bib43","article-title":"Comparison of changes documents. CA\/Browser Forum GitHub"},{"year":"2014","key":"2025112702400164500_bib44","article-title":"CA Security Council. World\u2019s leading certificate authorities come together to advance internet security and trusted SSL ecosystem"},{"key":"2025112702400164500_bib48","article-title":"Certificate transparency website as of 16 November 2023"},{"article-title":"Certificate transparency. Internet Engineering Task Force","year":"2013","author":"Laurie","key":"2025112702400164500_bib45"},{"key":"2025112702400164500_bib46","article-title":"Certificate Transparency website as of 16 November 2023"},{"year":"2014","key":"2025112702400164500_bib47","article-title":"CA\/B Forum. Face to Face Meeting minutes"},{"article-title":"Problems with the public key infrastructure (PKI) for the World Wide Web","year":"2015","author":"Housley","key":"2025112702400164500_bib49"},{"key":"2025112702400164500_bib50","article-title":"Apple strong-arms entire CA industry into one-year certificate lifespans","volume-title":"ZDNET","author":"Cimpanu","year":"2020"},{"key":"2025112702400164500_bib51","article-title":"Let\u2019s Encrypt","volume-title":"Boom Swagger Boom","author":"Aas","year":"2014"},{"key":"2025112702400164500_bib52","doi-asserted-by":"crossref","DOI":"10.17487\/RFC8555","article-title":"Automatic certificate management environment (ACME)","author":"Barnes","year":"2019"},{"key":"2025112702400164500_bib53","article-title":"Shortening the Let\u2019s encrypt chain of trust","volume-title":"Let\u2019s Encrypt","author":"Gable","year":"2023"},{"key":"2025112702400164500_bib54","article-title":"Sustaining digital certificate security","volume-title":"Google Security Blog","author":"Sleevi","year":"2015"},{"key":"2025112702400164500_bib55","article-title":"Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated]","volume-title":"Ars Technica","author":"Goodin","year":"2017"},{"article-title":"Intent to deprecate and remove: Trust in existing Symantec-issued certificates","year":"\u00a02017","author":"Sleevi","key":"2025112702400164500_bib56"},{"key":"2025112702400164500_bib57","doi-asserted-by":"crossref","first-page":"1373","DOI":"10.1145\/3460120.3484768","article-title":"Rusted anchors: A national client-side view of hidden root CAs in the Web PKI ecosystem","volume-title":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","author":"Zhang","year":"2021"},{"key":"2025112702400164500_bib58","doi-asserted-by":"crossref","first-page":"785","DOI":"10.1109\/SP.2018.00015","article-title":"Tracking certificate misissuance in the wild","volume-title":"2018 IEEE Symposium on Security and Privacy (SP)","author":"Kumar","year":"2018"},{"key":"2025112702400164500_bib59","doi-asserted-by":"crossref","DOI":"10.1201\/9781003123675","volume-title":"Crypto Wars: The Fight for Privacy in the Digital Age: A Political History of Digital Encryption","author":"Jarvis","year":"2020","edition":"1st ed."},{"article-title":"A Syrian man-in-the-middle attack against Facebook","year":"2011","author":"Eckersleyd","key":"2025112702400164500_bib60"},{"article-title":"Maintaining digital certificate security","year":"2015","author":"Langley","key":"2025112702400164500_bib61"},{"key":"2025112702400164500_bib62","doi-asserted-by":"crossref","first-page":"12679","DOI":"10.3390\/app122412679","article-title":"The eIDAS regulation: a survey of technological trends for european electronic identity schemes","volume":"12","author":"Sharif","year":"2022","journal-title":"Appl Sci"},{"key":"2025112702400164500_bib63","first-page":"75","article-title":"eIDAS implementation challenges: The Case of Estonia and the Netherlands","volume-title":"Electronic Governance and Open Society: Challenges in Eurasia - 7th International Conference, EGOSE 2020, Proceedings","author":"Lips","year":"2020"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf018\/63977518\/tyaf018.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf018\/63977518\/tyaf018.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,27]],"date-time":"2025-11-27T07:40:15Z","timestamp":1764229215000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf018\/8225340"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":63,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf018","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"type":"print","value":"2057-2085"},{"type":"electronic","value":"2057-2093"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf018"}}