I realize this isn't directly related to Let's Encrypt issuance policy, but rather the larger Web PKI and figured folks here might not have heard already.
Chrome's Root Store will no longer trust Entrust certs signed after October 31, 2024. It stands to reason other root stores will eventually follow suit if Chrome follows through.
If someone wants the primary sources,
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw
https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM
This seems odd to me - they're announcing a block 126 days in advance. Why not start distrusting immediately or in a shorter timeframe than 4 months?
It's also odd that Mozilla did not announce distrust first, as they seem to have been leading the investigation and complaints.
I'm sure there were heated conversations about the timing that involved balancing PKI security with the ability for existing Entrust customers to migrate.
While Mozilla remain the arbiter of browser trust for now, Google could block a CA (and/or any site) pretty much overnight if they really wanted to. They currently hold the keys to the web.
I find it very interesting and kinda funny that Entrust, according to the dev-security-policy discussion, seems to kinda treat the Mozilla root program with some contempt, but would act immediately when someone from Google would add something to the discussion. And afterwards treat the Mozilla root program with some contempt again..
And now it's actually Google taking actions due to, probably, the discussion initiated from Mozilla.
Thus a hard lesson to not ignore the Mozilla root program, even if they themselves don't block your roots.. Google will..
I'm curious to learn in the future what kind of consequences this has for the company itself with their 2500+ of employees.
there are months worth of thread on bugzilla, and as LE peoples known to watching bugzilla for lessens, I expect they watched Entrust sleepwalking into distrust firsthand in their working hour.
Well, they do a lot of things besides being a public CA. My wild guess is that for the CA end of things, they'll become a cobranded reseller of some other CA, at least in the meantime, based on their post saying that they intend to work with "partner roots". But I am just wildly speculating.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.