Most of Microsoft's and Google's web sites use certificates signed by an intermediate authority such as "Microsoft Internet Authority" or "Google Internet Authority" which is subsequently signed by a trusted root authority.
I've seen multi-domain wildcard certificates that include *.android.com, *.google.com, *.google.co.uk etc. in a single certificate signed by "Google Internet Authority".
Does this mean that the trusted root authority has given "Google Internet Authority" privileges to freely sign any wildcard domain under android.com, google.com and all Google's other TLDs?
What if Google acquires a new TLD? Does that mean "Google Internet Authority" will need to be reissued by the the trusted root authority? That would probably cost a lot of money for every new TLD they need to add. Do such certificates have some kind of agreement with the trusted root authority where they can keeping adding new TLDs at a reduced price?
