
Google CA Root Inclusion Request - nailer
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/KYwIf67hcMg
======
scrollaway
[https://bugzilla.mozilla.org/show_bug.cgi?id=1325532](https://bugzilla.mozilla.org/show_bug.cgi?id=1325532)

> Google Trust Services is run by Google. Google is a commercial CA that will
> provide certificates to customers from around the world. We will offer
> certificates for server authentication, client authentication, email (both
> signing and encrypting), and code signing. Customers of the Google PKI are
> the general public. We will not require that customers have a domain
> registration with Google, use domain suffixes where Google is the
> registrant, or have other services from Google.

Finding the "email" bit interesting. All this makes a lot of sense, and I'd
say I'm surprised this didn't come sooner but the initial issue was filed 2
years ago, and they must have worked on this for several years already then.

As an aside this is a fascinating glimpse into what it takes to run a
(serious) CA.
[https://static.googleusercontent.com/media/pki.goog/en/GTS-C...](https://static.googleusercontent.com/media/pki.goog/en/GTS-
CP-1.0.pdf)

~~~
TheSwordsman
This URL 404s.

~~~
scrollaway
Weird. It needs the second slash.

[https://static.googleusercontent.com/media/pki.goog//en/GTS-...](https://static.googleusercontent.com/media/pki.goog//en/GTS-
CP-1.0.pdf)

------
walterbell
Remember there is an AMP proposal for certificates to replace DNS for web site
identity. In that scenario, Chrome would stop showing URLs and would only show
the human-readable identity that signed the page, as validated by a
certificate.

This would allow signed site pages to be navigated offline or replicated
widely or blacklisted :( There is a risk that Content IDentity would factor
into EU upload filters and "link" taxes.

History and Chrome demo video:
[https://news.ycombinator.com/item?id=17920720#17923156](https://news.ycombinator.com/item?id=17920720#17923156)

~~~
geofft
Why is there more risk of sites being blacklisted with this model than with
existing mechanisms? Google Safe Browsing can always ban your site. If you say
"But people can turn off Safe Browsing," I'll counter with "But people can
install their own CA."

~~~
walterbell
It's easier to move content to a new domain name than to a new legal identity.

~~~
geofft
And certificates for webpackages attest domain name, not legal identity,
right?

~~~
walterbell
They attest legal identity - watch the Chrome demo video.

------
artellectual
This means we will get automated certificate issuing and renewal in google
cloud? I’m looking forward to that.

~~~
philipri
Heroku’s integration with Let’s Encrypt is pretty seamless (been using it for
some hobby projects).

~~~
emersonrsantos
It's also seamless if you happen to use webmin, the open source "cpanel".

~~~
TimTheTinker
Wow, that’s still around? I last used webmin on a couple of servers 15 years
ago.

------
andrewstuart
The recent flow of "Google is closing this service", followed by "Google is
launching this new service" feels weird.

------
anfilt
I really hate the current system of CAs. Google may act trust worthy, but I
personally don't trust them.

Same can be said of other CAs.

~~~
dagenix
So? Many people hate the current system. Its not clear that anyone has a
better idea.

------
dredmorbius
Thoughts occurring to me: browser devs (Chrome, Firefox, Safari, Edge) aready
serve as a link in the CA trust chain, in that they can decert a CA.

Browser dev as CA cuts out the middle man.

Cutting out the midddle man removes a check on bad CA behaviour.

I'm not sure where I stand on this, though I'm somewhat concerned.

------
exabrial
> These 4 roots were created by GlobalSign and then transferred to Google.

Interesting, why would that happen? Why not generate the keys/certs yourself?

~~~
nailer
Cross signing allows support from older root stores.

------
zinssmeister
We just published the “SSL wars” story between Symantec and Google
[https://www.templarbit.com/blog/2018/09/07/the-story-of-
why-...](https://www.templarbit.com/blog/2018/09/07/the-story-of-why-chrome-
and-firefox-will-soon-block-sites-with-certain-ssl-certificates/)

This adds another layer of color to that story.

------
zokier
Initial Google Trust Services announcement discussion thread here:

[https://news.ycombinator.com/item?id=13494780](https://news.ycombinator.com/item?id=13494780)

This has been brewing for quite a while now.

------
p0rkbelly
Pretty sure this is fairly old, and pretty sure they are following Amazon's
lead...almost literally via copy + paste(as an ode of approval and liking what
they are doing)

[https://bugzilla.mozilla.org/show_bug.cgi?id=1172401#c9](https://bugzilla.mozilla.org/show_bug.cgi?id=1172401#c9)

------
acidtrucks
I wish x509 certificates had several CA signings. I would feel better n times
better about a peer who has n unique validations.

Every new CA that gets included just amplifies opportunities for coercion and
blunder.

------
jhabdas
Is it just me or is Google Groups starting to look not much sleeker than the
forums people used to self-host back in the mid-2000's?

------
zitterbewegung
Step One: Google becomes a CA with a large fanfair and covered in every tech
blog

Step Two: Google's entry makes the incumbents either decide to exit the space
or change their bad behavior

Step Three: Google exits the space accomplishing their mission and screwing
over whoever uses their services.

I really hope that it doesn't end like above but I think this will go the way
of Google Fiber. Or maybe this is a play for their cloud services to also have
be a CA like Amazon.

~~~
jchw
Yeah I doubt this. I don't know what exactly Google's PKI will be for but to
me this seems like a close relative of Google Cloud (esp. DNS) and Google
Domains. Also, similar infrastructure services from Google, like Google's
public DNS resolver, show no signs of being turned down.

(Disclaimer: I am a Google employee, but I don't work on any of this.)

~~~
psergeant
Are Cloud and Domains special-case product protected from closure? How do I as
an outsider know which Google products have this protection?

~~~
DannyBee
Actually, they have explicit guarantees, yes.

As an outsider, you would know from the terms of service:
[https://cloud.google.com/terms/](https://cloud.google.com/terms/)

7.2 Deprecation Policy. Google will announce if it intends to discontinue or
make backwards incompatible changes to the Services specified at the URL in
the next sentence. Google will use commercially reasonable efforts to continue
to operate those Services versions and features identified at
[https://cloud.google.com/terms/deprecation](https://cloud.google.com/terms/deprecation)
without these changes for at least one year after that announcement, unless
(as Google determines in its reasonable good faith judgment):

(i) required by law or third party relationship (including if there is a
change in applicable law or relationship), or

(ii) doing so could create a security risk or substantial economic or material
technical burden.

The above policy is the "Deprecation Policy."

If you click through to
[https://cloud.google.com/terms/deprecation](https://cloud.google.com/terms/deprecation)
you will see the covered services. (Reasonable good faith is a legal term of
art, so no, Google would not get away with whatever silly edge case people
come up with)

~~~
mjw1007
Summarising: they have no guarantee against closure; Google promises to give
one year's notice if/when they decide to close them.

~~~
jbg_
... unless they decide that giving one year of notice would be too expensive
or hard.

~~~
DannyBee
As mentioned, no, the legal standard is not that simple

~~~
jbg_
Many of the products Google has already shut down would easily have passed a
reasonable good faith judgement that they were too expensive to keep running.
I don't see how this would be any different. I know that "reasonable good
faith" is a legal term of art, and I'm saying that I don't think Google would
struggle to meet that standard if they needed to shut one of these services
down.

~~~
tptacek
Those products Google shut down didn't have terms of services requiring Google
to keep them up. You've ignored half the argument here.

------
rodgerd
Next: Chrome and Search privilege Google CA over others.

------
psergeant
Clicking on this is asking me to sign in...?

~~~
adtac
Do you have JavaScript disabled? Don't you know we need JS to view nearly
static mailing lists with minimal user interaction in 2018? /s

~~~
jwilk
For me, it shows empty page with JS disabled.

Here's static HTML version:

[https://groups.google.com/forum/m/?_escaped_fragment_=topic/...](https://groups.google.com/forum/m/?_escaped_fragment_=topic/mozilla.dev.security.policy/KYwIf67hcMg)

------
niftich
This submission's title was editorialized by the submitter. It was submitted
as "Google CA", which is misleading, as the submission is about the
preexisting Google CA's addition as a root CA in the Mozilla trust store. The
article's underlying title is the more descriptive 'Google Trust Services Root
Inclusion Request'.

The Mozilla bugzilla issue [1] contains a more thorough picture of the process
that went into considering these root CAs for inclusion in the Mozilla trust
store, while the originally submitted URL [2] is focused on summarizing some
of the background and rationale and inviting public comment.

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1325532](https://bugzilla.mozilla.org/show_bug.cgi?id=1325532)
[2]
[https://groups.google.com/forum/m/#!topic/mozilla.dev.securi...](https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/KYwIf67hcMg)

~~~
geofft
Except that the application in the article contains the following statement:

> _Customers of the Google PKI are the general public. We will not require
> that customers have a domain registration with Google, use domain suffixes
> where Google is the registrant, or have other services from Google._

This is not currently true of the existing Google root, and "Google CA" seems
like an accurate-enough way of describing this change.

~~~
nailer
Submitter here, and yes exactly.

------
ddtaylor
> Section 1.4.2 of the CPS expressly forbids the use off Google certificates
> for “man-in-the middle purposes”

Uh huh.

------
peterwwillis
Two things which I think are technically possible with Google as a CA (please
correct me if I'm wrong):

1) Google's new business in China enables Google to give China tools to
inspect TLS traffic of arbitrary sites that use Google CA-derived certs

2) Google becomes a competitor to CloudFlare and uses position as CDN to
inspect all encrypted traffic for data to mine, and then uses data to make
more ad revenue (the way it does now with Gmail, search, etc)

~~~
iancarroll
(1) is not technically possible unless Google issues new certificates for each
site they want to inspect, and they would immediately be untrusted for doing
so. (Admittedly, a CA did this once and is still alive, but they came very
close to getting axed.)

~~~
Grue3
>and they would immediately be untrusted for doing so

Untrusted by whom? Let me remind you that Google also owns the most popular
browser used to access the web. There are already plenty of websites that
don't work in any other browser. So they won't even notice if non-Google
browsers suddenly don't trust the certificate anymore.

~~~
iancarroll
I agree with your point, though you might be exaggerating their current market
share a bit. But Chrome does not make certificate trust decisions on most
platforms, so it would certainly be a wild scenario for them to do something
like this.

