Since Certificate Authorities (CAs) are on many people's minds nowadays, we asked @sans_isc followers on Twitter:

How do browser makers (Microsoft, Mozilla, Google, Opera) decide which CAs to put into the product?

Several individuals kindly provided us with pointers to the vendors' documentation that describe their processes for including CAs in web browser distributions:

• Microsoft describes its Root Certificate Program (thanks, @leftistqueer)
• Mozilla maintains a CA Certificate Inclusion Policy (thanks, @ypatiadotca and @rik24d)
• Apple documents the requirements for its Root Certificate Program (thanks, @GothAlice)
• Opera clarifies how to get a root certificate included in its browser (thanks, @Chasapple)

If you have a pointer to Google Chrome certificate-inclusion practices, please let us know.

-- Lenny

Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny is active on Twitter and writes a daily security blog.