Could governments and banks become CAs?

I know of at least one government that has a root CA:

Staat der Nederlanden Root CA

The state of the Netherlands. As far as I know they don't use it to identify people when they come pick up their driver license.

I think Estonia has a system in which all residents have a card containing a certificate.


To complement Sjoerd's answer: some countries even give every single citizen and resident their own certificates, stored inside an ICC that is also the primary identity document. For illustration, here are mine (and the two CAs from the trust store of my macOS computer).

Belgium Root CA3, Citizen CA, and two citizen certificates

They're used in government agencies, post offices, pharmacies, and even companies. Many also use them online (using a smartcard reader and a browser extension) to file their taxes, access official correspondence, or request/check on social benefits.


•Is there any reason (from a security standpoiny) that a government, bank, or credit card company should not be part of PKI?

Mixing business and worldwide government interests isn't something most security professionals are keen on and the damage that can be caused by a rogue CA (whoever the owner was/is) is very real, so that is the main security risk.

There are a few (like CNNIC) but the community isn't overly keen on them and some have been revoked from the popular certificate stores (which is as pretty good as killing them off) because of proven abuse.

That said the reason there's not many is probably mostly non technical, the barrier to entry is they would have to maintain its security and probably have to have regular audits to remain eligible to be on some lists (which I would imagine most wouldn't want to bother with unless they're charging an amount that makes it commercially viable) such as the Mozilla Firefox default list of trusted CAs and also be trusted not to sign other certificates that they are not entitled to. Certificate pinning helps (it's tricky to fake google.com with modern browsers now) but that's not to stop them from pretending to be my bank etc. if they get comprmised. Plus there's the added reputation risk if they get compromised which makes it less appealing.

See also Are there other roots of trust on my computer aside from these 46 root certificates? which references the Hong Kong Post Office root certificate.

This page listing the main stores and the principles and criteria to be included they must follow may also help.