See also our updated July 3 story with full response from Entrust.
The world’s most widely used browser, Chrome, will no longer trust certificates from Entrust, in a bombshell move that comes after years of frustration with the certificate authority (CA) built to a head this month.
“Trust didn’t show up in our name by accident” goes Entrust’s strapline.
Google disagreed, saying: “Over the past six months, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fell short of the above expectations, and has eroded confidence in its competence, reliability, and integrity as a publicly-trusted CA Owner.”
What’s a CA
A CA is an entity that validates the digital identity of websites, email addresses, companies, or individual persons. Entrust itself describes them as a “rigorously vetted entity that must meet established baseline requirements put forth by the CA/Broer Forum. Certificate authorities and internet browsers work together to develop stricter and more uniform standards for the management and issuance of various digital certificates.”
“Blocking action will begin on approximately November 1, 2024, affecting certificates issued at that point or later” Google said in a June 27 blog.
“We recommend that affected website operators transition to a new publicly-trusted CA Owner as soon as reasonably possible” it added. Those affected will be Chase Bank, Dell, Mastercard and many others.
Many corporations also use a service from Entrust to effectively white-label SSL and code-signing certificates/use their own brand on public trust certificates.
What is Entrust and why is this happening?
Privately held Entrust reports revenues of close to $1 billion annually and approximately 10,000 customers globally including banks and governments. It is among the world’s largest digital certificate providers and also offers identity and cryptographic key management software.
It is owned by German billionaire dynasty the Quandt family (also major shareholders in BMW) and in April 2024 closed a $650 million acquisition of identity and security specialist Onfido. But as a Certificate Authority it appears to have alienated the broader open community it operates as part of.
Chrome said its "concerning behaviors include..."
Numerous recent violations of the CA/Browser Forum TLS Baseline Requirements (e.g., [1], [2], and [3]), which in some cases were willful (e.g., [4], [5], and [6]).
Untimely and often incomplete incident reporting (e.g., [7], [8], and [9]).
A failure to demonstrate an understanding of the root causes of an incident and a lack of a substantive commitment and timeline to changes that clearly and persuasively address the root cause(s) (e.g., [10], [11], and [12]).
A failure to design error-proof and/or compliant certificate issuance systems and corresponding processes (e.g., [16], [17], and [18]).
A failure to uphold commitments made in policy and in response to Web PKI incidents (e.g., [19], [20], [21], [22], [23], and [24]).
A failure to accept accountability or responsibility for its failures, often appearing to instead blame external forces... (e.g., [29], [30], [31], and [32]).
“Chrome’s continued trust in Entrust is no longer justified” Google said.
A review of the bugs and public conversations among members of the Certification Authority Browser Forum (CA/B) shows Google was not alone in palpable discontent at Entrust – even if it has taken the step unilaterally. Members including Mozilla had urged Entrust to publish a letter by June 7 detailing steps it was taking in response to concerns.
That letter utterly failed to persuade members of the community which responded robustly. By June 21 Entrust appeared, six years too late, to have recognised the gravity of the threat and published a letter promising change. By this point, Chrome's team was not persuaded.
What did Entrust say on June 21?
"We want to begin by acknowledging to the root programs and the community that we have not successfully fulfilled all the commitments we made to you in 2020. This has resulted in several instances where we did not omply with the CA/B Forum and root program policies.
"With respect to the recent issues, we acknowledge that these incidents did not get reported and communicated in the appropriate way with the CA/B forum. Our initial stance of not revoking the impacted certificates was incorrect. We are disappointed as this does not represent Entrust values and falls short of the standards we set for ourselves.
"We also want to make sure it is understood that none of these lapses have been malicious or done with ill-intent to make the internet less secure. As a global CA we must walk a tightrope in balancing the requirements of the root
programs and subscriber needs, especially for critical infrastructure. In some cases, we did not strike the right balance.
"We are committed to making lasting organizational and cultural changes to fix this and to begin to regain the trust of the root programs and the community" wrote Bhagwat Swaroop, President, Digital Security Solutions, Entrust.
It was, it appears, too little and too late.
As one commentor on the CA/B forum, Mike Shaver put it caustically: “I have to say, now that we've reached the end of this part of the process, that I find Entrust's response – in specific and in general – to be well beneath not only the expectations but indeed the mere *dignity* of the Mozilla root program process, the CA/BF commitments, and the trusted role that Entrust seems to so arrogantly believe cannot be lost."
Chrome’s Ryan Dickson suggested that the door may be open to trusting Entrust certificates again in future. Meanwhile, some company executives have a LOT of explaining to do to their customers.
Dickson said: “Our decision is based on a consistent pattern of unmet commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports over the past six years. While our decision is firm and one we consider reasonable given the potential for harm a public CA poses to the Internet ecosystem, we encourage Entrust to remain committed to the principles described in their latest report and to demonstrate genuine change. By doing so, they may have the opportunity to regain the trust required to serve as a public CA in the future.”
Tim Callan, Chief Experience Officer at CA Sectigo said: “The Entrust news is a sharp reminder of why it is so important for CAs to take their role as stewards of public trust very seriously. CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them. With a shorter lifecycle timeline of 90 days looming, and the implications of Quantum Computing also on the horizon, things aren’t getting any less complicated. It’s more important than ever that CAs and CLM providers stay at the top of their game and fully comply with CA/Browser Forum rules and baseline requirement.
An Entrust spokesperson told The Stack: “The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers.”
The decision does not impact its Verified Mark Certificates, code-signing, digital signing or private certificate offerings it added, including the likes of its managed PKI solutions.