Google Inc. said last week that it’s planning to become an independent Root Certificate Authority, which means it would be able to issue its own communications protocol certificates for securing web traffic.

A certificate authority is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important role in the public key infrastructure.

Google currently relies on intermediary firms, including GlobalSign Inc. and GeoTrust Inc. to provide certificates, and operates its own certificate authority to manage and deploy them on its infrastructure, as part of its efforts to implement the more secure web protocol known as HTTPS across all of its products.

In a blog post, Google security engineer Ryan Hurst revealed that the company is in the process of migrating all of its services and products away from its current certificate authority to the new Root Certificate Authority, which is called Google Trust Services.

“As we look forward to the evolution of both the web and our own products it is clear HTTPS will continue to be a foundational technology,” Hurst explained. “This is why we have made the decision to expand our current Certificate Authority efforts to include the operation of our own Root Certificate Authority.”

The move will not have much of a noticeable impact for Google’s users. The main difference will be that when users of a Google website click on its HTTPS security certificate, they will see it’s issued by Google Trust Services rather than Google Internet Authority, GeoTrust or GlobalSign. This will make it easier for users to identify authentic Google services, the company said.

For Google it does mean greater control over security, however. Once it’s fully rolled out, Google Trust Services will ensure that the company’s engineers have full control over its HTTPS certificates from the time they’re issued until they’re revoked. Developers who build products that interact with Google’s services will also be impacted, as they will need to include the new Root Certificates, Hurst said.

Not everyone seems too keen on the idea of Google gaining more control however. Concerns were raised on the Hacker News forum that it means putting all of your eggs in one basket. “I have no love for most the major CAs I’ve interacted with, but this feels wrong, though I can’t quite pinpoint why,” wrote one user named algesten. “Perhaps just a general feeling that all the internet eggs are being put, one by one, in one single alphabet basket.”

Quipped a second commenter, “You can now have a website secured by a certificate issued by a Google CA, hosted on Google web infrastructure, with a domain registered using Google Domains, resolved using Google Public DNS, going over Google Fiber, in Google Chrome on a Google Chromebook. Google has officially vertically integrated the Internet.”

Google is providing more technical information, including details of its current active root certificates, on the new Google Trust Services page.

Photo: Santeri Viinamaki Flickr via Compfight cc