[INFORMATIONAL] Upcoming change for CA certificates included in the Chrome Root Store

[CCADB Public]

[This message is being sent on behalf of the Chrome Root Program to pub...@ccadb.org.]

All, 

The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to public incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.

Chrome's confidence in the reliability of certain CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome. To safeguard Chrome’s users, and preserve the integrity of the Chrome Root Store, we are taking the following action.

Upcoming change in Chrome 139 and higher:

• Transport Layer Security (TLS) server authentication certificates validating to the following root CA certificates whose earliest Signed Certificate Timestamp (SCT) is dated after July 31, 2025 11:59:59 PM UTC, will no longer be trusted by default.

  • OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW

  • CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW

  • CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU

• TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before July 31, 2025 11:59:59 PM UTC, will be unaffected by this change. 

This approach attempts to minimize disruption to existing subscribers using a previously announced Chrome feature to remove default trust based on the SCTs in TLS certificates. A recently published Google Security Blog post includes additional information for affected subscribers that allow for testing the impact of the described change before it takes effect.

Should a Chrome user or enterprise explicitly trust any of the above certificates on a platform and version of Chrome relying on the Chrome Root Store (e.g., explicit trust is conveyed through a Windows Group Policy Object), the SCT-based constraints described above will be overridden and certificates will function as they do today.  

Until these CA certificates are no longer included in the latest available version of the Chrome Root Store, we expect the CA Owners’s continued adherence to the Chrome Root Program Policy. Failure to do so may result in an accelerated removal timeline and/or additional restrictions (e.g., name constraints).

As we do with all CA Owners included in the Chrome Root Store, we will continue to use tools available to us, including Chrome’s internal PKI Monitoring solution, to measure and evaluate ongoing compliance objectives and protect Chrome’s users.

-The Chrome Root Program