Dear All, This email announces Mozilla's decision regarding Entrust’s recent compliance incidents <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ>. After careful consideration of the nature of these incidents, Entrust’s proposal for addressing the incidents, and the community’s feedback, we have decided to set TLS distrust-after dates for the Entrust root certificates which are currently included in Mozilla’s Root Store.
Mozilla previously requested <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ> that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust’s recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla’s and the community’s trust. Although Entrust’s updated report made an effort to engage with these issues, the commitments given in the report were not meaningfully different from the previous commitments which were given in 2020 and broken in the recent incidents. Ultimately, the proposed plan was not sufficient to restore trust in Entrust’s operation. Re-establishing trust requires a candid and clear accounting of failures and their root causes, a detailed and credible plan for how they can be addressed, and concrete commitments based on objective and externally measurable criteria. Additionally, we are aware that Entrust has reached an agreement with SSL.com to act as its External Registration Authority (RA), performing pre-issuance vetting of certificate applicants for SSL.com. We support this arrangement, recognizing that SSL.com, as the operator of the root CA within Mozilla’s root CA program, will be responsible for domain validation, certificate issuance, and revocation, and ultimately, for any incidents that may occur. In summary, we intend to implement a distrust-after date for TLS certificates issued after November 30, 2024, for the following root CAs: CN=AffirmTrust Commercial CN=AffirmTrust Networking CN=AffirmTrust Premium CN=AffirmTrust Premium ECC CN=Entrust Root Certification Authority CN=Entrust Root Certification Authority - EC1 CN=Entrust Root Certification Authority - G2 CN=Entrust Root Certification Authority - G4 CN=Entrust.net Certification Authority (2048) We hope Entrust will work to address the root causes of these incidents and so eventually re-establish confidence in its internal policies and processes, its tooling and technology, and its commitment to the Web PKI community. Sincerely, Ben Wilson Mozilla Root Store Manager -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjxsZy%3DgfVWyaHgW7L85MwoCDki5nN2MVRyxMqp8oNZg%40mail.gmail.com.
