The CEO of Entrust said his company has made sweeping organisational changes in the wake of Google’s bombshell decision to block sites using its certificates – saying “we are committed to improvement” going forward.
Entrust CEO Todd Wilkinson made the comments after Google said Entrust’s “publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that… eroded confidence in its competence, reliability, and integrity as a publicly-trusted CA Owner.”
Chrome will block sites using certificates issued by Entrust from November 1, 2024 onwards, it said to industry consternation last week.
But Entrust said it can continue to serve customers: “All Entrust TLS certificates issued through October 31, 2024, will be trusted by default by Google through their expiration date. After October 31, we will have the operational capabilities to serve customers’ certificate needs, with alternative or even partner roots if necessary” Wilkinson wrote on July 1.
Wilkinson added, controversially, that the certificate “mis-issuance” incidents at the heart of Google and Mozilla’s concerns (as expressed robustly to it via industry forums) had stemmed from “misinterpretation we made of CA/Browser Forum compliance requirements.”
Several public bug reports visible via CA/B forums show Entrust’s own staff admitting to “human error, and insufficient process governance” as the cause of mis-issuance incidents as well as acknowledging that they failed to notify Apple and Microsoft Root Program teams of incidents.
Entrust has now “made changes in our organization, processes, and policies. For example, we have moved the CA product compliance team into our global compliance and operations teams to fully leverage the more robust capabilities of this larger organization” Wilkinson wrote.
“We have instituted a cross-functional change control board and a technical change review board to catch similar issues in the future.
“We are accelerating R&D for TLS certificate compliance and automation-related work while also improving the tracking of our public commitments and revising our public incident response practices to ensure such issues do not occur again,” the CEO wrote early this week. (Blog. FAQs)
“We respectfully ask for your patience as we work to ensure that you have no disruptions to the service you have come to expect from Entrust.”
Privately held Entrust reports revenues of close to $1 billion annually and approximately 10,000 customers globally including banks and governments. It is among the world’s largest digital certificate providers and also offers identity and cryptographic key management software.