WebPKI Observatory — Geographic Risk
Certificate authority operations concentrate heavily in the United States and Europe, with significant secondary presence in China and other jurisdictions identified as high-risk for compelled disclosure. The geographic distribution creates both redundancy and exposure, as CAs in different legal regimes face different governmental access requirements. This jurisdictional diversity means that no single nation-state can compel universal surveillance, but it also ensures that some portion of certificate issuance remains subject to laws permitting secret government access.