> > > > Google requests that certain subCA SPKIs are whitelisted, to ensure > > continued trust of Symantec-issued certificates that are used by > > infrastructure that is operated by Google. > > > > Is whitelisting the SPKI found in the Google subCA sufficient to achieve > > the need of trusting Google's server infrastructure?
Kai, I will do my best to answer this question. Alphabet has a policy that all of its companies should be getting certificates from the Google PKI infrastructure. Right now in the context of certificate chains you see that manifested as certificates issued under GIAG2 and GIAG3. We are actively migrating from GIAG2 (issued under a Symantec owned Root) to GIAG3 (issued under a root we own and operate). This transition will be complete in August 2018. Given the size and nature of the Google organization sometimes other CAs are used either on accident because the team did not know any better, because the organization is part of an acquisition that is not yet integrated or there may be some sort of exceptional requirement/situation that necessitates it. For this, and other reasons, we tell partners that we reserve the right to use other roots should the need arise and we publish a list of root certificates we may use (https://pki.goog/faq.html see what roots to trust). As for the use of the With that background nearly all certificates for Alphabet (and Google) properties will be issued by a Google operated CA. In the context of the whitelist, we believe the SPKI approach should be sufficient for those applications who also need to whitelist associated CA(s). I am also not aware of any Alphabet properties utilizing the DigiCert's Managed Partner Infrastructure (beyond one subca they operate that is not in use). In summary while a SPKI whitelist should work for the current situation applications communicating with Alphabet properties should still trust (and periodically update to) the more complete list of roots listed in the FAQ. Ryan Hurst Google _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy