This whole thing is a little weird to me. It's prompted by the ICP-Brazil misissuance of Google certificates. I get that it's a big deal. And, if ICP-Brazil was generally in the root stores of Google, Mozilla, and Apple, I would agree that this is a real challenge to the integrity of the WebPKI.
But it's not. Microsoft is the only entity that trusts ICP-Brazil. Microsoft cut a deal with Brazil, exclusively regarding software Microsoft controls, to allow them to do... whatever it is they were doing.
You should be unhappy with Microsoft if you're a Microsoft customer. But this has almost nothing to do with the WebPKI. Microsoft could also have rigged their browser up to accomplish the same thing.
The ICP-Brazil thing was just a surprise coincidence as I was finishing up the article. I had started collecting my notes on the topic when Entrust got distrusted.
Fun threads to read through:
That's really stupid: they got in trouble for writing down a requirement that wasn't actually a requirement and wasn't meant to be a requirement, in a human readable document, and then not revoking and reissuing those certificates which didn't meet the requirement, which still don't meet it so revoking and reissuing achieves nothing, and weren't supposed to meet it anyway so there's nothing actually wrong with them. Part of the point of having humans in a process is so that they can make sensible decisions when the process prescribes something nonsensical, but Mozilla wants to follow the nonsensical process at all costs.
No that's not what they did. They had made promises about how they would handle issuing certs not in compliance with their CPS then went back on them, after a long history of similar things.
"Hey, just so you know, we did read your brown M&Ms clause, but since last month M&M is running a special promotion where they only make rainbow colours, we got you a bowl of yellow ones instead."
Which is the correct course of action:
"Of course. Thank you for paying attention to the spirit of the rule."
Or: "No, fuck you, show is cancelled."
---
All of the stuff I said happened did happen. The extra context you are providing is irrelevant since it does not change the fact that what happened is stupid and it's Mozilla's fault that stupid stuff happened.
It's not a certificate intended for use on the web in general. It's an open finance certificate designed for use within that ecosystem within Brazil, and it was issued to a google subsidiary who would have requested it to have that common name, and who would have been evaluated as being authorised to have such a certificate within that context.
The main problem seems to be that the root certificate was in the MS keystores, and seems to have previously been submitted to mozilla (and maybe others) for inclusion, which points to a poor separation of concerns for that CA. They clearly wanted to be a general web authority at some point, but were repurposed.
So it's hard to see it as purely a "misissuance", and it's definitely not malicious.
But it's not. Microsoft is the only entity that trusts ICP-Brazil. Microsoft cut a deal with Brazil, exclusively regarding software Microsoft controls, to allow them to do... whatever it is they were doing.
You should be unhappy with Microsoft if you're a Microsoft customer. But this has almost nothing to do with the WebPKI. Microsoft could also have rigged their browser up to accomplish the same thing.