Who was in the first set of CAs

Question

I am currently digging into the history of SSL/TLS. I found that netscape introduced SSL around 1994/1995. They obviously decided to go with a X.509 PKI to mitigate MitM attacks. I, however, could not find any information who was in the first set of CAs?
Can anyone provide me with the list and in an optimal case with a source for the information?

Answer 1

This might not be exactly the same as what was in the first Netscape release with SSL, but you can find one early list by running an emulated Windows 95 system from a 1996 install disk at win95.ajf.me and look at the built-in site certificates (Control Panel - Internet Properties - Security tab):

• AT&T Certificate Services
• AT&T Directory Services
• AT&T Prototype Research CA
• internetMCI Mall
• Keywitness Canada Inc.
• Verisign Class 2 Public Primary CA
• Verisign Class 3 Public Primary CA
• Verisign Class 4 Public Primary CA
• Verisign/RSA Commerical
• Verisign/RSA Secure Server

A later source from January 1999 is this thread, where Dan Geer compiled a list of the certificates included with Netscape v4.5 and Explorer v4.0.

Another good resource on early CAs is a project to create a "top-level certification authority (CA) using paper and ink," The Global Trust Register, which has a list of global CAs that the authors could find and verify in 1998. There is a copy available online here.

Answer 2

In my recollection, two big early CA players were VeriSign, founded out of RSA Laboratories, and Thawte, founded by Mark Shuttleworth, who went on to found Ubuntu. Equifax, in the credit reporting business, was also an early CA. GlobalSign claims to have been the first CA in Europe. Many of the current players in the CA space came later or acquired/aggregated their businesses.

Early mozilla source code releases (https://archive.mozilla.org/pub/mozilla/releases/) should be a canonical repository of root certificates packaged with the circa 1990s Netscape browser.