After Google Launched its Certification Authority in August 2017, it has now put in a request to Mozilla certification store for the inclusion of the Google Trust Services R1, R2, R3, and R4 roots as documented in the following bug.
Google’s application states the following-
“Google is a commercial CA that will provide certificates to customers from around the world. We will offer certificates for server authentication, client authentication, email (both signing and encrypting), and code signing. Customers of the Google PKI are the general public. We will not require that customers have a domain registration with Google, use domain suffixes where Google is the registrant, or have other services from Google.”
What are Google Trust Services Roots?
To adopt an independent infrastructure and build the “foundation of a more secure web,” Google Trust Services allows the company to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, instead of relying on third-party certs.
The main aim of launching the GTS was to bring security and authentication certificates up to par with Google’s rigorous security standards. This means invalidating the old, insecure HTTP standard in Chrome, and depreciate Adobe Flash, a web program known to be insecure, and a resource hog. GTS will provide HTTPS certificates public websites to API servers, and it will be inclusive to all Alphabet companies, not just Google.
Developers who build products that connect to Google’s services will have to include the new Root Certificates.
All GTS roots expire in 2036, while GS Root R2 expires in 2021 and GS Root R4 in 2038. Google will also be able to cross-sign its CAs, using GS Root R3 and GeoTrust, to ease potential timing issues while setting up the root CAs. To know more about these trust services, you can visit GlobalSign.
Some noticeable points in this request are
- Google has supplied a key generation ceremony audit report
- Other than the disclosed intermediates and required test certificates, no issuance has been detected from these roots.
- Section 1.4.2 of the CPS expressly forbids the use of Google certificates for “man-in-the middle purposes”.
- Appendix C of the current CPS indicates that Google limits the lifetime of server certificates to 365 days.
The following concerns exist in the Roots-
- From the transfer on 11-August 2016 through 8-December 2016, at the time it would not have been clear if any policies applied to these new roots. The applicable CPS (Certification Practice Statement) during that period makes no reference to these roots. Google does state in their current CPS that these roots were operated according to that CPS.
- From the transfer on 11-August 2016 through the end of Google’s audit period on 30-September, 2016, these roots were not explicitly covered by either Google’s audit nor GlobalSign’s audit.
The discussion was concluded with adding this policy to the main Mozilla Root Store Policy (section 8).
With these changes and the filing of the bug, Mozilla plans to take no action against GTS based on what has been discovered and discussed.
Here is what users had to say on this request-
To get a complete insight into this request, head over to Google groups.