Pull up https://play.google.com/store in a browser and look at the TLS certificate chain.

Equifax Secure CA is the root CA for the certificate chain.

The intermediate CA (Google Internet Authority) issues the certificate for the end entity. Its CRL distribution point is http://crl.geotrust.com/crls/secureca.crl. There is no OCSP resource.

The end-entity certificate is wild-carded for a number of Google sites. Its CRL distribution point is http://www.gstatic.com/GoogleInternetAuthority/GoogleInterne.... There is no OCSP resource.

The relying party would validate the end-entity and intermediate CA certificates using CRLs (as no OCSP is available). These requests would be the only "data" sent as part of the certificate validation.

As the root CA is explicitly trusted (since it is present in the trust anchor compilation), it (Equifax Secure CA) is not contacted.

Explicitly removing trust for arbitrary root CAs (which can be prudent) will of course remove trust for end-entity certificates traceable to those CAs. Thus, if one removes trust for Equifax Secure Certificate Authority, one will no longer trust certificates issued by Google Internet Authority, such as the one used by https://play.google.com/store.

Trust via contemporary CA compilations and relying party PKI implementations is quite coarse. One essentially trusts all all CAs and subordinate certificates for a variety of purposes. Implementations vary in precision (or even presence) of revocation and constraint checking.

undefined

Is there another tweet that explains this tweet?

So? Is that a problem?

I'm using ICS. Go and disable the Equifax certificates yourself (Settings / Security) and see if you can confirm it.

I was just sitting here watching a movie and through process of elimination narrowed it down to Equifax that was preventing me from accessing/updating apps through Google Play.