> misissuance of GOOGLE.COM or FACEBOOK.COM would be detected and unlikely to be successful
Eventually detection is almost certain, but whether it's "successful" would depend very much on what somebody was doing with it and why.
We have some examples to work with in analysing this, where certificates for Facebook or Google names were issued at various times without Facebook or Google knowing about it - and maybe I'll do that analysis later, but for now I want to focus on your Hollywood Action Thriller scenario.
Google did not "kill" the "largest best-known CA in the market".
Back in January 2017 Andrew Ayer wrote to m.d.s.policy about some certificates Symantec had issued for names like example.com (sic) which Andrew had verified were not asked for by example.com's legitimate owners. This gradually spiralled, with Mozilla producing a fairly substantial document listing well over a dozen distinct problems, both newly discovered and dating back a little way, with Symantec. Overall the impression we got was that Symantec management were not delivering the oversight role needed to ensure their CA achieved what a relying party should expect.
Symantec management didn't like where this was going and tried to "go over our heads". I have no idea whether this worked for Microsoft and Apple, and for me there isn't anyone "over my head", but at Google it appears to have made things worse.
In summer 2017 Google's plan asked Symantec to replace their infrastructure and institute bottom-up change to their organisation in order to restore our confidence in the CA. For practical reasons (it's hard to stall your customers for perhaps 1-2 years while you fix things) Symantec would have needed to continue selling certificates during the period when we did not trust their management to operate a CA, and so they'd need to find another large CA to provide us with the assurances we need while retaining Symantec (or Thawte, Verisign, etcetera, all brands of Symantec) branding.
Symantec negotiated with DigiCert to provide this capability over summer 2017 (very small Certificate Authorities would not have been able to practically do what was needed) but at some point during that negotiation they pivoted to instead selling the business to DigiCert.
Once the initial agreement existed in October 2017, DigiCert and Symantec sought permission to go ahead, and received it on some simple conditions (Mozilla's concern was that this might be something akin to a "reverse take over" in which Symantec would dodge the intended management changes and instead seize a new brand, key people at DigiCert were able to assure us that this was not going to happen), then all the usual business stuff happened, and in parallel DigiCert began building a new issuance infrastructure for the ex-Symantec brands, more or less as they would have under the original concept but with them keeping the profits.
In practical terms Symantec chose to exit the CA business a bit less than a year after Andrew's original post to m.d.s.policy, after many months of discussion across about all the issues raised.
Now, if you want you can speculate about how _hard_ it is for incompetent and untrustworthy people to become competent and trustworthy, but Symantec decided they weren't interested in that path so we'll never know. Nobody killed them, they decided they weren't interested in reform.
This is just more irrelevant detail. Your essential rhetorical strategy here is to concede the argument I've made, but pretend otherwise by marshaling hundreds of words of details that don't address the point you're claiming to rebut.
Nobody cares who wrote to m.d.s.policy about the misissuance or the precise dynamics of Symantec getting out of the CA business --- though surely you'll want to claim otherwise to preserve the notion that you've rebutted me.
The simple facts:
* Symantec was a full thirty percent all of TLS certificates in 2015.
* Google was made aware (through multiple channels) of misissuance.
* Google arranged with Mozilla to distrust Symantec.
* Symantec is now out of the CA business.
If you're trying to claim that Symantec is out of the CA business because it simply wanted to be, and so somehow gracefully exited by selling to Digicert, no, that is not what happened.
Otherwise, none of the detail you're offering has anything to do with this thread.
Your claim was that Google would "kill the CA you got it from" if somebody obtains a certificate for the name GOOGLE.COM and that they'd need to "turn the timer on your iPhone on so we can measure how long it takes" with "no notification".
I've explained this is ludicrously far from reality, spelling everything out so that people can see this imaginary lightning fast reaction doesn't exist. Would the GOOGLE.COM certificate itself get revoked? Yeah, probably. Might even happen the same day if you're lucky.
Would anything at all happen to the CA, ever? Probably not, though it would depend on what exactly the sequence of events was. If it did, as we saw with Symantec it would take months to decide what that should be, and it's very unlikely to be a complete distrust.
Your scenario is something that belongs in a thriller, I gave a nice example where a Vernor Vinge novel does almost exactly this, in a fictional future California, and I explained that er, no, that's not how it works. You are welcome to keep living in a dream world, but if you're going to threaten people with imaginary consequences for doing things you don't like, maybe say you'll launch a fireball at them with your mind or something so nobody thinks you're talking about the real world.
Eventually detection is almost certain, but whether it's "successful" would depend very much on what somebody was doing with it and why.
We have some examples to work with in analysing this, where certificates for Facebook or Google names were issued at various times without Facebook or Google knowing about it - and maybe I'll do that analysis later, but for now I want to focus on your Hollywood Action Thriller scenario.
Google did not "kill" the "largest best-known CA in the market".
Back in January 2017 Andrew Ayer wrote to m.d.s.policy about some certificates Symantec had issued for names like example.com (sic) which Andrew had verified were not asked for by example.com's legitimate owners. This gradually spiralled, with Mozilla producing a fairly substantial document listing well over a dozen distinct problems, both newly discovered and dating back a little way, with Symantec. Overall the impression we got was that Symantec management were not delivering the oversight role needed to ensure their CA achieved what a relying party should expect.
Symantec management didn't like where this was going and tried to "go over our heads". I have no idea whether this worked for Microsoft and Apple, and for me there isn't anyone "over my head", but at Google it appears to have made things worse.
In summer 2017 Google's plan asked Symantec to replace their infrastructure and institute bottom-up change to their organisation in order to restore our confidence in the CA. For practical reasons (it's hard to stall your customers for perhaps 1-2 years while you fix things) Symantec would have needed to continue selling certificates during the period when we did not trust their management to operate a CA, and so they'd need to find another large CA to provide us with the assurances we need while retaining Symantec (or Thawte, Verisign, etcetera, all brands of Symantec) branding.
Symantec negotiated with DigiCert to provide this capability over summer 2017 (very small Certificate Authorities would not have been able to practically do what was needed) but at some point during that negotiation they pivoted to instead selling the business to DigiCert.
Once the initial agreement existed in October 2017, DigiCert and Symantec sought permission to go ahead, and received it on some simple conditions (Mozilla's concern was that this might be something akin to a "reverse take over" in which Symantec would dodge the intended management changes and instead seize a new brand, key people at DigiCert were able to assure us that this was not going to happen), then all the usual business stuff happened, and in parallel DigiCert began building a new issuance infrastructure for the ex-Symantec brands, more or less as they would have under the original concept but with them keeping the profits.
In practical terms Symantec chose to exit the CA business a bit less than a year after Andrew's original post to m.d.s.policy, after many months of discussion across about all the issues raised.
Now, if you want you can speculate about how _hard_ it is for incompetent and untrustworthy people to become competent and trustworthy, but Symantec decided they weren't interested in that path so we'll never know. Nobody killed them, they decided they weren't interested in reform.