Google and the Indian CA

[Lost In Cyberia]

Hey everyone, Have you guys heard about this?

For the TL;DR version. Google's domains where found to be signed to an unknown person. The Signer of the certificate was a CA in India. The CA accidently issued 45 SSL certs for domains that were owned by google and yahoo. My question is that, how can the google certs be signed, and then the same domain signed again by the Indian CA? Can a domain be signed twice? It seems like this shouldn't be the case...

Also is revoking a certification the same thing as removing it from the Cert store? I know that Chrome doesn't really check for revocation.. So does that mean they just relay on "bad" ssl certs to be removed completely from the store?

[cooper]

You can have a billion certs for a domain, but the domain can only provide 1 (1 ip = 1 cert because part of the protocol involves a reverse dns lookup). Which of the billion the domain provides is up to the admin.

It doesn't make a lot of sense to have a ton of certs, but nothing's stopping you.

[cooper]

Revoking a cert means the CA marks the cert as being bad. Certs work on the basis of a trusted third party that tells you the other side of the connection really is who you expect. You don't know the other party, but you know and trust the CA (CA cert is in your trust store) and so you trust their claim that the other party really is that other party.

But even CAs make mistakes so you (shouls) check the revokation list of the CA when you connect to a site that CA says is legit to make sure it hasn't changed its mind about that.