[Cryptography] Google distrusts Symantec for mis-issuing 30, 000 HTTPS certs

[Ben Laurie]

On 24 March 2017 at 14:28, Henry Baker <hbaker1 at pipeline.com> wrote:
> FYI --
>
> https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
>
> Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs
>
> Chrome to immediately stop recognizing EV status and gradually nullify all certs.
>
> Dan Goodin - Mar 23, 2017 11:25 pm UTC
>
> In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have issued more than 30,000 certificates.
>
> Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum.  Extended validation certificates are supposed to provide enhanced assurances of a site's authenticity by showing the name of the validated domain name holder in the address bar.  Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year.  In effect, the certificates will be downgraded to less-secure domain-validated certificates.
>
> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs
>
> ----
> While I applaud Google *in this instance*, what happens when Google starts doing evil?
>
> Why should I trust Google?
>
> Why do I have to trust Google?

In what sense are you trusting Google? CT provides the evidence of
whatever Symantec did. Google say exactly what they're doing about it.
You can verify the code does that and build it yourself if you want.

Where did trust come into this?