Google is ending its trust in Entrust after a lengthy compliance period and general improvement failures.
Entrust is one of many Certificate Authorities (CAs) that Chrome uses to verify that websites visited by end users are trustworthy. From Chrome 127 on November 1, the recently entered Betas Chrome, TLS Server Authentication Certificate Verification Authorization or confirms the TLS server's approval certificate for trust roots that are by default trust.
Google pointed out a series of event reports that were entrusted in the last few years, saying they "emphasized a model for ACTS" and eventually made security companies stand out in Google's discretion. Google said in a blog post that the incidents "undermine confidence in [Entrust's] capabilities, reliability, and integrity as the owner of a publicly trusted CA."
This follows a Mozilla publication in May that compiled a massive list of Entrust certificates issued between March and May of this year. In response, and after an initial response that was met with scathing feedback from the Mozilla community, Entrust acknowledged its procedural errors, credited Mozilla and said it viewed the feedback as a learning opportunity.
Now, it seems Google hasn't been so accepting of Entrust's apology. Google will offer a longer grace period based on the November deadline and said it plans to minimize potential disruption. Credentials issued before October 31st will remain valid as long as they verify the root listed on the Google blog. Google users can manually trust these roots after making changes to retain their current functionality. Starting with Chrome 127, companies will be able to override the restrictions described here if they also want to use Entrust certificates on their internal networks. "Certificate authorities play a privileged and trusted role on the Internet, as they underpin encrypted connections between browsers and websites," Google said. "With this enormous responsibility comes the expectation to meet reasonable, consensus-based security and compliance requirements under the CA/Browser TLS Baseline Requirements. "Over the past six years, we have seen inconsistencies, unfulfilled improvement commitments, and a lack of tangible, measurable progress in responding to publicly disclosed incident reports. When these factors are considered together and considered in relation to the inherent risk each publicly trusted CA poses to the Internet ecosystem, in our view, Chrome's continued reliance on Entrust is no longer warranted.\"
The change will apply to Chrome users on all major operating systems except Chrome on iOS, which prevents Chrome's own certificate verification from working on iPhone and iPad. MacOS is unaffected by this, though, and will block Entrust certs from November like everything else.
For owners of websites, this means they\'ll need to choose a new CA owner before the November cutoff – but ideally as soon as possible – to ensure visitors aren't met with Chromes warning page designating the connection to the site as unsafe. Tim Callan, chief experience officer at Sectigo, told The Reg in an email that the news is a reminder for CAs to adhere to the standards the industry expects of them.
“CA must uphold the highest standards, not just for their own business, but for all the people and businesses that depend on them. With a shorter life cycle within 90 days and the consequences of quantum calculating at the horizon, things are no less complicated.
"More important than ever, the CAS and CLM service providers remain at the top of the games and follow the CA/browser forum rules and initial requirements."
The representative sent a notification to the Register: "The Chrome Root Program decision is disappointing for us as a member of the long -term Ca/B Forum Society. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers."