Google has inevitably become its own root Certificate Authority, allowing it to issue digital certificates for its products rather than rely on third party cert vendors to validate Google properties.
The move was announced Thursday, along with the creation of a new entity called Google Trust Services that will operate the CA for Google and its parent company Alphabet Inc.
Until now, Google has been operating as its own subordinate CA (GIAG2) with SSL and TLS certs issued by a third party for Google products; Hurst said Google will continue to do so.
To facilitate Google’s position as a root CA, the company said it has acquired existing root CAs from GlobalSign: R2 and R4.
“These Root Certificates will enable us to being independent certificate issuance sooner rather than later,” said Ryan Hurst, a manager in Google’s Security and Privacy Engineering outfit.
“Although on the other side they’ve put in place a whole bunch of protections already in products like Chrome that make it hard to impersonate Google properties, so this seems like an incremental move,” Green said.
Google has published the root certificates it manages, and expects developers who build software and applications that need to connect to Google to include the certs as trusted. It also may choose to operate subordinate CAs under third-party operated roots, Hurst said.
“For this reason if you are developing code intended to connect to a Google property, we still recommend you include a wide set of trustworthy roots,” Hurst said.
The fragile state of CAs and certificate management has manifested itself in a number of high-profile mishaps, including a GlobalSign certificate revocation error last fall affecting availability of sites on the web, and a loss of trust in WoSign/StartCom and CNNIC certificates for violations of industry standard practices. Revoking certificates that already live in browsers, operating systems, networking gear and servers is a chore. Google’s entry into the fray as a root CA puts the entire system under greater scrutiny.