Mozilla is following in Google Chrome’s footsteps in officially distrusting Entrust as a root certificate authority (CA) following what it says was a protracted period of compliance failures.
A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a “pattern of concerning behaviors” from the company.
Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Firefox maker Mozilla.
In an email shared by Mozilla’s Ben Wilson on Wednesday, the root store manager said the decision wasn’t taken lightly, but equally Entrust’s response to Mozilla’s concerns didn’t inspire confidence that the situation would materially change for the better.
“Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust’s recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla’s and the community’s trust,” said Wilson.
“Although Entrust’s updated report made an effort to engage with these issues, the commitments given in the report were not meaningfully different from the previous commitments which were given in 2020 and broken in the recent incidents.
“Ultimately, the proposed plan was not sufficient to restore trust in Entrust’s operation. Re-establishing trust requires a candid and clear accounting of failures and their root causes, a detailed and credible plan for how they can be addressed, and concrete commitments based on objective and externally measurable criteria.”
Wilson also cited a separate document that amalgamated the “substantial number of compliance incidents” at Entrust as cause for concern.
Between just March and May this year, Mozilla made note of 22 separate incidents, many of which related to various delays and missed deadlines.
However, Bruce Morton, director of certificate services and Entrust, responded to Wilson’s post directly, echoing its previous commitment to regaining the trust of major browsers.
“Ben, we are disappointed by this decision but want to reaffirm Entrust’s commitment to continued execution of our improvement plan and re-establishing confidence with Mozilla and the Web PKI community,” he said.
“We also appreciate your support and endorsement of our plan to continue to operate as a delegated RA through our partnership with SSL.com. We’ll continue to provide updates here on both fronts.”
What Morton is referring to here is Entrust’s solution to maintaining relevance in the CA space, which involves partnering with SSL.com, whose certs are still trusted by Chrome et al, and essentially becoming a reseller, allowing its customers to stay with the company should they wish to.
When we contacted Entrust for a response, a spokesperson reiterated Morton’s response, saying it was disappointed by the decision, but “our plans have not changed. We remain committed to serving the digital certificate needs of our customers, and also to our role as a Certificate Authority.”
It added: “We are pleased that Mozilla endorsed our plan to continue offering our customers digital certificates by acting as a Registration Authority for TLS certificates issued by our partners at SSL.com. At the same time, we are actively and vigorously implementing an improvement plan to return to full browser acceptance.”
SSL.com certs bought through Entrust will still read “Entrust” in customers’ browsers and customer support will be managed through the company too. SSL.com will just be the provider, making Entrust a registration authority (RA) rather than a CA.
However, customers have already pointed out in various online discussions that the premium Entrust is charging on these SSL.com certs is something to behold. For example, an Organization Validation Wildcard cert – a certificate that secures multiple sub domain names linked to the same base domain (by using a wildcard character *
in the domain name field) – costs $299 bought directly from SSL.com if buying only for one year, whereas buying the same cert through Entrust costs $799.
Regarding this move, Wilson said: “We support this arrangement, recognizing that SSL.com, as the operator of the root CA within Mozilla’s root CA program, will be responsible for domain validation, certificate issuance, and revocation, and ultimately, for any incidents that may occur.”
Mozilla will officially stop trusting certificates issued by Entrust after November 30, 2024. Any issued before then will continue to be trusted, but anything after won’t be, unless they’re purchased from SSL.com via Entrust.
“We hope Entrust will work to address the root causes of these incidents and so eventually re-establish confidence in its internal policies and processes, its tooling and technology, and its commitment to the Web PKI community,” Wilson added.
Google’s cutoff is a month sooner than Mozilla’s – any certificate issued after October 31 won’t be trusted by Chrome 127.
“Certification authorities serve a privileged and trusted role on the internet that underpin encrypted connections between browsers and websites,” Google said last month. “With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.
“Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly trusted CA poses to the internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.” ®