SoylentNews is people
SoylentNews
Submission Preview
Chrome Will Distrust CA Certificates From Entrust Later This Year
Chrome will distrust CA certificates from Entrust later this year [9to5google.com]
A Certification Authority [wikipedia.org] (CA) issues certificates that help guarantee you're visiting a legitimate website. Over the years, Chrome has had to distrust some CAs [9to5google.com], and the Google browser is about to do that again [googleblog.com] with certificates from Entrust.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.
Google points to a list of "publicly disclosed incident reports [mozilla.org]" that highlight a "pattern of concerning behaviors by Entrust that fall short of the [Chrome Root Program Policy [chromium.org] requirements], and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner."
When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome's continued trust in Entrust is no longer justified.
[...] Google's recommendation to website owners is to "transition to a new publicly-trusted CA Owner as soon as reasonably possible" before November 1. Meanwhile, other Google products might take similar actions in the future.
[...] More details of Google's roadmap and a FAQ can be found here [googleblog.com].
Google cuts ties with Entrust in Chrome over trust issues [theregister.com]
Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements.
Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.
Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations.
The incidents [mozilla.org] have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated [googleblog.com] in a blog.
It follows a May publication [mozilla.org] by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. In response, and after an initial reply that was greeted with harsh feedback from the Mozilla community, Entrust acknowledged its procedural failures, Mozilla noted, and said it was treating the feedback as a learning opportunity.
It now seems Google hasn't been as accepting of Entrust's apologetic response.
[...] Tim Callan, chief experience officer at Sectigo, said in an email to The Reg that the news serves as a reminder to CAs that they must hold themselves to the standards the industry expects of them.
"CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them. With a shorter lifecycle timeline of 90 days looming, and the implications of Quantum Computing also on the horizon, things aren't getting any less complicated.
[...] A spokeperson at Entrust sent a statement to The Register: "The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers."
A little web scraping [infosec.exchange] shows that there are some pretty big name websites [pastila.nl] that currently use Entrust certs.
