Mozilla's Decision on Entrust's Root CA Certificates used for TLS

[Ben Wilson]

Dear All, 

This email announces Mozilla's decision regarding Entrust’s recent compliance incidents. After careful consideration of the nature of these incidents, Entrust’s proposal for addressing the incidents, and the community’s feedback, we have decided to set TLS distrust-after dates for the Entrust root certificates which are currently included in Mozilla’s Root Store. 

Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust’s recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla’s and the community’s trust. 

Although Entrust’s updated report made an effort to engage with these issues, the commitments given in the report were not meaningfully different from the previous commitments which were given in 2020 and broken in the recent incidents. Ultimately, the proposed plan was not sufficient to restore trust in Entrust’s operation. Re-establishing trust requires a candid and clear accounting of failures and their root causes, a detailed and credible plan for how they can be addressed, and concrete commitments based on objective and externally measurable criteria. 

Additionally, we are aware that Entrust has reached an agreement with SSL.com to act as its External Registration Authority (RA), performing pre-issuance vetting of certificate applicants for SSL.com. We support this arrangement, recognizing that SSL.com, as the operator of the root CA within Mozilla’s root CA program, will be responsible for domain validation, certificate issuance, and revocation, and ultimately, for any incidents that may occur.

In summary, we intend to implement a distrust-after date for TLS certificates issued after November 30, 2024, for the following root CAs:

CN=AffirmTrust Commercial

CN=AffirmTrust Networking

CN=AffirmTrust Premium

CN=AffirmTrust Premium ECC

CN=Entrust Root Certification Authority

CN=Entrust Root Certification Authority - EC1

CN=Entrust Root Certification Authority - G2

CN=Entrust Root Certification Authority - G4

CN=Entrust.net Certification Authority (2048)

We hope Entrust will work to address the root causes of these incidents and so eventually re-establish confidence in its internal policies and processes, its tooling and technology, and its commitment to the Web PKI community. 

Sincerely,

Ben Wilson
Mozilla Root Store Manager

[Mike Shaver]

Thanks, Ben. I know this was a pretty fraught process with a lot of moving parts, and I'm glad you were able to lead us to the conclusion of it. I agree with both your analysis and the decision, but have one question:

Why was a distrust-after date selected that's different from the one announced by CRP (October 31)? It seems that aligning those dates would make it easier for site owners and others to reason about what needs to be done, and avoid situations where testing in one browser gives false confidence about the general correctness of their system. (Of course, this is also a possible issue for other root programs that haven't announced any distrust plans for Entrust, but there's little that Mozilla can do about that aspect.)

Given CRP's earlier announcement, it seems quite likely that subscribers are already going to be planning to replace their certificates prior to Oct 31, so a somewhat shorter notice period for Mozilla's distrust action doesn't seem likely to disrupt anyone.

(I'm not just asking because I already have a patch for an Oct-31 distrust after in my tree, I swear!)

Thanks,

Mike

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjxsZy%3DgfVWyaHgW7L85MwoCDki5nN2MVRyxMqp8oNZg%40mail.gmail.com.

[Bruce Morton]

Ben, we are disappointed by this decision but want to reaffirm Entrust’s commitment to continued execution of our improvement plan and re-establishing confidence with Mozilla and the Web PKI community.  We also appreciate your support and endorsement of our plan to continue to operate as a delegated RA through our partnership with SSL.com. We’ll continue to provide updates here on both fronts.