On 2017-03-23 16:39, Ryan Sleevi wrote:
On Thu, Mar 23, 2017 at 8:37 AM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I would be interested in knowing why Google felt it necessary to purchase
an existing root instead of, for example, pursuing a "new root" path along
the lines of what Let's Encrypt did? All I could gather from the Google
security blog is that they really want to be a root CA and to do it in a
hurry. Why the need to do it quickly, especially given the risks (attack
surface)?
Clarification: I'm not speaking on behalf of Google
I think this demonstrates a lack of understanding of what Let's Encrypt
did. Let's Encrypt obtained a cross-signed certificate (from IdenTrust),
which is "purchasing" a signature for their key. This is one approach.
Purchasing a pre-existing signature (and key) is another. They are
functionally equivalent.
So what Google has done is what is what Let's Encrypt did.
There are a few difference between the two:
- With the signature from IdenTrust, Let's encrypt is not a trusted root
CA, it's an intermediate CA. The ISRG also generated it's own root CA.
- Let's encrypt has it's own name (Let's encrypt, ISRG) on the
certificate. It's clear who the owner of the certificate it. It's not
clear that a GlobalSign certificate is not owned or controlled by
GlobalSign but instead by some other corporation that doesn't have any
relation to the first.
I find this second point rather annoying. As far as I know it's not the
first time something like that happened. I would not have a problem with
something like that if Google bought (all CAs from) GlobalSign, but I
dislike that some CAs which appear to be from the same company are
actually owned by several unrelated ones.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
