[SSL Observatory] SSL CA compromise in the wild

Adam Langley agl at google.com
Fri Mar 25 06:57:35 PDT 2011


On Wed, Mar 23, 2011 at 5:58 PM, Adam Langley <agl at google.com> wrote:
> Unfortunately this might change in the future if we want more
> significant Google properties to enable HSTS. We are not willing to
> tie our fate to the serving ability of our CA.

pde pointed out, off list, that Google is it's own CA for most of our
domains so why does this bother us?

Revocation has to be checked for the whole path so our intermediate CA
certificate is subject to revocation checks. Specifically it has a CRL
pointer to http://crl.geotrust.com/crls/secureca.crl

If crl.geotrust.com were to go down, and the client had strict
revocation checking, then every domain hanging off our intermediate CA
would be down.


AGL



More information about the Observatory mailing list