Google has obviously become a root Certificate Authority on its own, allowing it to issue the digital certificates for its own products rather than to rely on some third party certs to validate the Google properties.
This move was announced Thursday, along with the creation of the new entity called Google Trust Services which will operate the Certificate Authority for Google and parent its company Alphabet.
To facilitate the Google’s position as root Certificate Authority, it is said that they have acquired existing root CAs from the GlobalSign: R2 and R4.
Ryan Hurst, a manager in Google’s Security and Privacy Engineering outfit said, “These Root Certificates will enable Google to be the independent certificate issuance sooner rather than the later”.
Till now, Google has been working as its own subordinate CA with the SSL and TLS certs issued by a third party for the Google products. Hurst said Google will still continue to do so.
“Google obviously wants to move to its own infrastructure for a while. There is no real reason for them to continue trusting the legacy CA infrastructure. This gives us a bit more independence. And also, it means that we alone can issue verifiably ‘Google’ certificates,” said Matthew Green, a professor of cryptography at the Johns Hopkins University.
“Although on flip side they have put in place a bunch of protections already in products like Chrome that make it hard to impersonate Google properties, so this seems like an incremental move,” Green said.
Google has published the root certificates it manages and expects developers who build software and applications that need to connect to Google to include the certs as trusted. It also may choose to operate subordinate CAs under third-party operated roots, Hurst said.
“For this very reason if you are developing code that is intended to connect to a Google property, we still recommend you include wide set of other trustworthy roots,” Hurst said.
