On 2017-03-23 16:39, Ryan Sleevi wrote:
On Thu, Mar 23, 2017 at 8:37 AM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

‎I would be interested in knowing why Google felt it necessary to purchase
an existing root instead of, for example, pursuing a "new root" path along
the lines of what Let's Encrypt did? All I could gather from the Google
security blog is that they really want to be a root CA and to do it in a
hurry. ‎Why the need to do it quickly, especially given the risks (attack

Clarification: I'm not speaking on behalf of Google

I think this demonstrates a lack of understanding of what Let's Encrypt
did. Let's Encrypt obtained a cross-signed certificate (from IdenTrust),
which is "purchasing" a signature for their key. This is one approach.
Purchasing a pre-existing signature (and key) is another. They are
functionally equivalent.

So what Google has done is what is what Let's Encrypt did.

There are a few difference between the two:
- With the signature from IdenTrust, Let's encrypt is not a trusted root CA, it's an intermediate CA. The ISRG also generated it's own root CA. - Let's encrypt has it's own name (Let's encrypt, ISRG) on the certificate. It's clear who the owner of the certificate it. It's not clear that a GlobalSign certificate is not owned or controlled by GlobalSign but instead by some other corporation that doesn't have any relation to the first.

I find this second point rather annoying. As far as I know it's not the first time something like that happened. I would not have a problem with something like that if Google bought (all CAs from) GlobalSign, but I dislike that some CAs which appear to be from the same company are actually owned by several unrelated ones.


dev-security-policy mailing list

Reply via email to