[GaryGapinski]

Pull up https://play.google.com/store in a browser and look at the TLS certificate chain.

Equifax Secure CA is the root CA for the certificate chain.

The intermediate CA (Google Internet Authority) issues the certificate for the end entity. Its CRL distribution point is http://crl.geotrust.com/crls/secureca.crl. There is no OCSP resource.

The end-entity certificate is wild-carded for a number of Google sites. Its CRL distribution point is http://www.gstatic.com/GoogleInternetAuthority/GoogleInterne.... There is no OCSP resource.

The relying party would validate the end-entity and intermediate CA certificates using CRLs (as no OCSP is available). These requests would be the only "data" sent as part of the certificate validation.

As the root CA is explicitly trusted (since it is present in the trust anchor compilation), it (Equifax Secure CA) is not contacted.

Explicitly removing trust for arbitrary root CAs (which can be prudent) will of course remove trust for end-entity certificates traceable to those CAs. Thus, if one removes trust for Equifax Secure Certificate Authority, one will no longer trust certificates issued by Google Internet Authority, such as the one used by https://play.google.com/store.

Trust via contemporary CA compilations and relying party PKI implementations is quite coarse. One essentially trusts all all CAs and subordinate certificates for a variety of purposes. Implementations vary in precision (or even presence) of revocation and constraint checking.

[pjbrunet]

I don't think it's just a coincidence or necessarily a secret:

"Equifax Inc. (EFX), EBay Inc.'s (EBAY) PayPal and Intuit Inc. (INTU) have beguntrials to see whether social posts can help prove identities,and, in some cases, detect whether customers are lying abouttheir finances." http://finance.yahoo.com/news/facebook-posts-help-credit-bur...

Actually I remember blogging about this years ago, back when Myspace was at its peak. So it's not news. I'm just wondering if Google has revealed what data it reports to Equifax, if any. And if that's the case, I think the next question is: What sort of app activity will help improve your credit?

[pjbrunet]

Also I'd like to see a "Certificate Cleaner" app that could just erase all the non-mandatory certificates. Or even better, show app-certificate associations so people could better decide which certificates they need/want/don't want. For my phone to "trust" 99 entities I've never heard of, without knowing what those certificates are for, that seems a little unsafe and irresponsible. If I didn't want choice or involvement I'd just buy an iPhone. At least I can see and disable the certificates and install another app store like F-Droid.