[wyager]

>First, "TOFU/POP" has a real name; it's "key continuity".

I am aware of both names, thank you.

>That only has to happen once for Google to put a gun to the rogue CA's temple.

Google can't really help in every single case. There are many situations where Google's revocation scheme can't keep up.

You also have to put a lot of trust in Google. You think Google is going to issue a revocation if they're under legal pressure not to?

As you are aware, human factors are frequently the weakest parts in a cryptosystem.

[tptacek]

I don't understand your comment. Google doesn't revoke keys. It revokes whole CAs.

[einhverfr]

Well, what Google does is it gets a list of revoked certs from CA's, decides which ones are "really important" and sends those to the browser. So yes, in effect, Google decides which certificates are revoked. It's all covered in the article.

[tptacek]

No. You're not following me. You think I'm describing agl's point. I'm not. I'm saying that beyond CRLsets, certificate pins also allow Google to detect misbehaving CAs. CAs have power only to the extent that Google allows them to have power by keeping them in Chrome's root CA key store. Google can pick among most of the current CA's and put them out of business on a whim.