> > Google requests that certain subCA SPKIs are whitelisted, to ensure
> > continued trust of Symantec-issued certificates that are used by
> > infrastructure that is operated by Google.
> > Is whitelisting the SPKI found in the Google subCA sufficient to achieve
> > the need of trusting Google's server infrastructure?
I will do my best to answer this question.
Alphabet has a policy that all of its companies should be getting certificates
from the Google PKI infrastructure. Right now in the context of certificate
chains you see that manifested as certificates issued under GIAG2 and GIAG3.
We are actively migrating from GIAG2 (issued under a Symantec owned Root) to
GIAG3 (issued under a root we own and operate). This transition will be
complete in August 2018.
Given the size and nature of the Google organization sometimes other CAs are
used either on accident because the team did not know any better, because the
organization is part of an acquisition that is not yet integrated or there may
be some sort of exceptional requirement/situation that necessitates it.
For this, and other reasons, we tell partners that we reserve the right to use
other roots should the need arise and we publish a list of root certificates we
may use (https://pki.goog/faq.html see what roots to trust).
As for the use of the With that background nearly all certificates for Alphabet
(and Google) properties will be issued by a Google operated CA.
In the context of the whitelist, we believe the SPKI approach should be
sufficient for those applications who also need to whitelist associated CA(s).
I am also not aware of any Alphabet properties utilizing the DigiCert's Managed
Partner Infrastructure (beyond one subca they operate that is not in use).
In summary while a SPKI whitelist should work for the current situation
applications communicating with Alphabet properties should still trust (and
periodically update to) the more complete list of roots listed in the FAQ.
dev-security-policy mailing list