As we have reported in the last few days, both Google and Microsoft have reported the creation of unauthorized SSL certificates for Google and other domains, issued by an improper intermediate certificate authority subordinate to the CA for the government of France.

That certificate authority released an announcement about the issue this past Saturday, December 7:

As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the IGC/A. The mistake has had no consequences on the overall network security, either for the French administration or the general public. The aforementioned branch of the IGC/A has been revoked preventively. The reinforcement of the whole IGC/A process is currently under supervision to make sure no incident of this kind will ever happen again.

Translated from bureaucratic/PR-speak, it says "Sorry we did this, no harm no foul, it won't happen again." But the explanation doesn't really make sense. It's not hard to see how, as part of an exercise, ANSSI (Agence nationale de la sécurité des systèmes d'information, the French government certificate authority) would create an intermediate certificate authority. There's no good reason for that authority, in an exercise or for any other function, to sign fake certificates for other organizations' domains.

One could speculate as to the reasons: It's possible that they were attempting to use fake certificates to spy on traffic to and from those sites. That would at least be a reason.

Another open question in this matter is how Google found out about it, especially if, as ANSSI says, "[T]he mistake has had no consequences on the overall network security, either for the French administration or the general public."