Did Google Go Rogue? ICP-Brasil Certificate Controversy Raises Questions About Compliance
In the Mozilla Bugzilla system, a case concerning the improper issuance of an SSL certificate involving ICP-Brasil and the domain google.com has sparked significant debate among experts. The issue has drawn attention because the certificate was issued in violation of established regulations.
The certificate was granted despite the presence of a CAA record for google.com, which explicitly restricts certificate issuance to pki.goog. An analysis of the certificate uncovered numerous infractions, including misconfigured extensions, incorrect field ordering, and other technical errors.
It was revealed that ICP-Brasil, the national certification authority in Brazil, issues intermediate certificates to other entities such as Certisign. However, under ICP-Brasil’s updated policy, the issuance of SSL/TLS certificates outside closed ecosystems—such as payment systems—is no longer permitted.
This particular certificate was intended for use with Google Wallet in Brazil, including the instant transfer system Pix. According to the rules, its application should have been restricted solely to these purposes. However, the certificate became available for broader use, raising concerns among experts.
Participants in the discussion contend that the issuing CA failed to verify all necessary conditions, resulting in the error. Additionally, they note that since the issue was identified, the CA has neither provided an official response nor clarified the situation, drawing criticism for insufficient oversight and delayed action.
Mozilla representatives indicated they are considering adding the certificate to the OneCRL list to restrict its usage. Experts also highlighted how Microsoft enforces compliance among trusted CAs, as the certificate is recognized within Microsoft’s system for server authentication.
Speculation in the discussion suggests that Google may have independently requested the certificate without accounting for ICP-Brasil’s new restrictions. This oversight led to the certificate being unsuitable for use outside the payment system. The situation demands further investigation and clarification from all parties involved, including the certification authority and the corporations that rely on its certificates.
