methodology / Security / #97
Issuer reputation tier
#97 · Recommended · Web Quality · weighted · Security · impl todo · source Leaf certificate's Issuer DN (Distinguished Name) — Common Name and Organization fields parsed from ASN.1, matched against a maintained pattern list of well-known CAs.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
No matrix row defined yet — this factor falls back to a neutral weight of 1.0 across every site type until the methodology is tuned.
What this means for your business
Some certificate vendors have been kicked out of browsers in the past for sloppy practices. Sticking with a well-known name — Let's Encrypt, DigiCert, Cloudflare, Google, Sectigo — means your padlock keeps working on every device for years.
Plain title: Your padlock comes from a reputable vendor
Want the long version? Read the full explainer with examples →
What we measure
Cert quality correlates with issuer competence. Mainstream public CAs (Let's Encrypt, DigiCert, Sectigo, Google Trust, GlobalSign, Amazon, Cloudflare, Buypass, ZeroSSL, IdenTrust, Microsoft, Entrust) have rigorous CA/Browser Forum baseline-requirement audits and modern issuance practices. "Other" issuers are heterogeneous — some fine, some have been distrusted by browsers later (Symantec/RapidSSL 2018, WoSign 2016). This factor is a positive signal for being on a known-well-managed CA, not a punishment for everyone else.
How to improve your score
If your issuer doesn't appear in the well-known list and you're not on a private/internal CA on purpose, switch issuers. ACME issuers (Let's Encrypt, ZeroSSL, Google Trust Services, Buypass) are free and well-audited. DigiCert and Sectigo are paid but cover EV / OV certs and broader compatibility profiles. The migration is usually one ACME renewal away — your existing private key and CSR don't have to change.
Facts
Implementation notes
pass=100: issuer matches a well-known mainstream CA family. warn=60: issuer is a regional or enterprise CA we don't recognize (could be fine, just not a default-trust signal). fail=0: reserved for future explicit distrust-list match.
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |