So far, Google Chrome has used the operating system as a trust anchor for checking HTTPS certificates. Specifically, the browser accepts all certificates whose digital signature can be traced back to one of the root CA certificates installed by the operating system; i.e. those installed by Microsoft on Windows, those installed by Apple on macOS and so on. Now Google wants to build its own root CA store, which Chrome will then use by default.
This root CA store should then contain the root certificates of all certification authorities that Chrome trusts by default. For the inclusion, the Chrome team has already created a policy that formulates conditions that the CAs must meet. Mozilla already operates a similar program for Firefox’s root CA store. Unlike Chrome, Firefox traditionally uses its own certificates and not those of the operating system.
More power for Google
The background to this change is obvious: Google has been using Chrome as a lever for some time to force a modernization of the Public Key Infrastructure (PKI) for HTTPS. For example, they enforced Certificate Transparency against fierce resistance from the certification bodies they monitored. With their own root CA store, they extend this leverage enormously. Ultimately, the concrete threat is there: If a root CA does not play along, it will be kicked out.
This is by no means an empty threat, as Symantec had to experience first-hand: After Google caught the company several times for issuing unauthorized certificates on Google domains, they withdrew their trust from the CA and displayed warnings for all certificates , which were notarized by Symantec’s CAs. Ultimately, Symantec was forced to sell the entire business line to its competitor DigiCert.
To home page