WebPKI Observatory — Concentration Risk
The WebPKI exhibits an HHI of 2367, well above the 1800 threshold that antitrust regulators typically flag as highly concentrated. The CR3 ratio of 70.15% means three organizations control more than two-thirds of certificate issuance, creating systemic dependency on ISRG, Google, and DigiCert. While concentration can improve security through operational excellence at scale, it also means that a compliance failure or distrust event at any top-three CA would immediately disrupt a majority of HTTPS connections.