On 10/03/2017 07:29, Ryan Hurst wrote:
On Thursday, March 9, 2017 at 9:00:21 PM UTC-8, Peter Kurrasch wrote:
By definition, a CPS is the authoritative document on what root
certificates a CA operates and how they go about that operation. If the
GlobalSign CPS has been updated to reflect the loss of their 2 roots,
that's fine. Nobody is questioning that.
What is being questioned is whether updating the GlobalSign CPS is
sufficient to address the needs, concerns, questions, or myriad other
issues that are likely to come up in the minds of GlobalSign subscribers
and relying parties--and, for that matter, Google's own subscribers and
relying parties. To that, I think the answer must be: "no, it's not
enough". Most people on the internet have never heard of a CPS and of
those who have, few will have ever read one and fewer still will have read
the GlobalSign CPS.
Again while I can not speak for GlobalSign I can say that there has been far
more public notice than a simple CP/CPS update.
In addition to the Google Blog post about the acquisition
the purchase was picked up by many high profile technology news sources, some
of which included:
Also this topic has been discussed at great length in numerous forums around
This is above and beyond the public notification that is built into the various
root programs such as:
The Google Trust Services CP/CPs lists GlobalSign as subordinates
The Google Trust Services website has a link to the GlobalSign CP/CPS as well
as their audit reports.
The Mozilla bug on this topic discusses the change in ownership,
The Mozilla CA registry will also reference the change in ownership,
The Microsoft CA registry will also reference the change in ownership,
The Mozilla Salesforce instance will reference the change in ownership,
This public thread discusses the change in ownership.
I am not sure there is much more meaningful options of notification left.
Those are all point-in-time news items, not pages that purport to be up
to date information of the current status when they are visited.
Additionally as stated, EV badges will still correctly reflect that it is
GlobalSign who issues the associated certificates, and not Google.
The only opportunity for confusion comes from those who look at the
certificates themselves and missed all of the above notifications.
It is also important to note that this is a very common situation, to see how
common it is visit the page Microsoft maintains for Root Program members -
You will notice the first column is the name of the current owner and the
second column is the name in the certificate.
A few you will notice are:
Amazon, Starfield Services Root Certificate Authority - G2
Asseco Data Systems S.A. (previously Unizeto Certum), Certum CA
Entrust, Trend Micro 1
Entrust, Trend Micro 2
Entrust, Trend Micro 3
Entrust, Trend Micro 4
Comodo, The USERTrust Network™
Comodo, USERTrust (Client Authentication / Secure Email)
Comodo, USERTrust (Code Signing)
Comodo, USERTrust RSA Certification Authority
Symantec / GeoTrust
Symantec / Thawte
Symantec / VeriSign
Trustwave, XRamp Global Certification Authority
Of all these, Starfield seems to be the only case where a single CA
name now refers to two different current CA operators (GoDaddy and
Amazon). All the others are cases of complete takeover. None are
cases where the name in the certificate is a still operating CA
operator, but the root is actually operated by a different entity
Also, I don't see Google on that list.
While I sincerely want to make sure there are no surprises, given how common it
is for names in root certificates not to match the current owner, those who are
looking at certificate chains should not be relying on the value in the root
certificate in the first place wrong in very significant situations.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list