I am not going to say with certainty that Entrust is definitely putting Chrome over Mozilla. However, I hope they know that most Linux systems out there use the Mozilla root store directly. On Tuesday, June 18, 2024 at 1:12:19 PM UTC-4 Mike Shaver wrote:
> On Tue, Jun 18, 2024 at 12:49 PM Walt <[email protected]> wrote: > >> I'd just like to point out that we now have a situation where Entrust is >> in the position of seemingly valuing the opinion of other Root Programs >> over Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c42 >> >> In Comment #37, it was hinted at (and made slightly more explicit in #39) >> that the opinion of the Mozilla RP is that the attempt to re-characterize >> these certs was not going to be looked kindly upon, and only once a Google >> RP member explicitly said that it was the Google RP opinion that the certs >> remained mis-issued was any movement made on re-confirming the mis-issuance >> and taking action to revoke them. >> >> Also, if we're in a position where Entrust is finally able to commit to >> revoking certs within a 5 day period (setting aside that these certs >> technically need a delayed revocation bug as the mis-issuance was known as >> far back as 2024-04-10), why are other incidents not able to be resolved in >> this amount of time? Is it because Google showed up? >> > > We’ve seen this behaviour in other incidents as well, I believe including > the cpsURI one that has turned into a magnet for evidence of poor operation > and lack of transparency and responsiveness. I remarked on it in my initial > snarky reply to the Entrust Report, in fact. > > From a realpolitik perspective their behaviour could indeed be rational, > especially when the only tool root programs have is distrust. Firefox would > suffer substantial market disadvantage if it stopped trusting Entrust > certificates when other browsers didn’t. I think people generally > underestimate how much Mozilla would be willing to take near-term pain to > protect users, but it’s also possible that I am overestimating it. > > Related to that, I think Chrome’s root program representatives have > generally been more willing to take a concrete position quickly, so Mozilla > might be waiting for more explanation when Chrome decides that there’s no > explanation that could suffice, or similar. The root programs tend to be in > agreement more often than not (virtually always with Chrome and Mozilla, I > would say, excepting some slightly different root store populations), so it > may be somewhat irrelevant whose opinion spurs motion. > > Realpolitik analysis aside, I do agree that Entrust has created the > impression that they care much more about Chrome’s opinion than Mozilla’s, > which IMO might not be the best posture to take given that Mozilla and its > community are the locus for the processing and evaluation of the incidents > in question. > > Mike > > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1a27affb-9970-405a-b5ba-884410df511cn%40mozilla.org.
