All,
In support of more closely aligning Chrome’s planned compliance action with
a major release milestone (i.e., Chrome 131
<https://chromiumdash.appspot.com/schedule>), we intend to delay the start
of blocking action to instead begin on November 12, 2024.
Description of updated blocking action:
Beginning in versions of Chrome 131 and higher…
-
TLS server authentication certificates validating to the following
Entrust roots whose earliest Signed Certificate Timestamp (SCT) is dated
after November 11, 2024 (11:59:59 PM UTC), will no longer be trusted by
default.
-
CN=Entrust Root Certification Authority - EC1,OU=See
www.entrust.net/legal-terms+OU=(c) 2012 Entrust, Inc. - for
authorized use
only,O=Entrust, Inc.,C=US
<https://crt.sh/?q=02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5>
-
CN=Entrust Root Certification Authority - G2,OU=See
www.entrust.net/legal-terms+OU=(c) 2009 Entrust, Inc. - for
authorized use
only,O=Entrust, Inc.,C=US
<https://crt.sh/?q=43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339>
-
CN=Entrust.net Certification Authority
(2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c)
1999 Entrust.net Limited,O=Entrust.net
<https://crt.sh/?q=6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177>
-
CN=Entrust Root Certification Authority,OU=www.entrust.net/CPS is
incorporated by reference+OU=(c) 2006 Entrust, Inc.,O=Entrust, Inc.,C=US
<https://crt.sh/?q=73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C>
-
CN=Entrust Root Certification Authority - G4,OU=See
www.entrust.net/legal-terms+OU=(c) 2015 Entrust, Inc. - for
authorized use
only,O=Entrust, Inc.,C=US
<https://crt.sh/?q=DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88>
-
CN=AffirmTrust Commercial,O=AffirmTrust,C=US
<https://crt.sh/?q=0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7>
-
CN=AffirmTrust Networking,O=AffirmTrust,C=US
<https://crt.sh/?q=0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B>
-
CN=AffirmTrust Premium,O=AffirmTrust,C=US
<https://crt.sh/?q=70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A>
-
CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US
<https://crt.sh/?q=BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423>
-
TLS server authentication certificates validating to the above set of
roots whose earliest SCT is on or before November 11, 2024 (11:59:59 PM
UTC), will be unaffected by this change.
The Google Security blog
<https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html>
has been updated to reflect this change.
Thank you.
-Ryan, on behalf of the Chrome Root Program
On Fri, Jul 5, 2024 at 1:09 PM Wayne <[email protected]> wrote:
> Hanno you downplay your own research. In particular when 16 years of
> CVE-2008-0166 <https://16years.secvuln.info/>Debian OpenSSL Bug
> <https://16years.secvuln.info/> was published I did take note of how long
> it took until the DKIM keys were removed, and it was longer than 24 hours.
> 2024-05-13 15:00 UTC was when it was removed from DNS that I saw - at least
> 32 hours after that post was made.
>
> I presume you had direct contact with Entrust prior to that publication as
> well? How long did you notice it took them to handle that known-compromised
> key?
>
> On Friday, July 5, 2024 at 8:58:59 PM UTC+1 Hanno Böck wrote:
>
>> Hi,
>>
>> On Thu, 27 Jun 2024 14:19:40 -0600
>> "'Kurt Seifried' via CCADB Public" <[email protected]> wrote:
>>
>> > Question: what about CN = Entrust Verified Mark Root Certification
>> > Authority - VMCR1 which is used for BIMI logos for example and
>> > supported in Gmail? Will Gmail be removing support for Entrust based
>> > VMC certificates and thus BIMI logos done via Entrust?
>>
>> In this context, possibly interesting: I had recently discovered that
>> many VMCs issued by Entrust were not compliant with the BIMI SVG
>> profile. I had made that public on the IETF BIMI list:
>> https://mailarchive.ietf.org/arch/msg/bimi/xzYRH72V2HE9xeUfXK_zUgYSI7k/
>>
>> Entrust handled the revocation reasonably well, but of course,
>> it raises questions how this could happen in the first place.
>> (I was more disappointed with Google's/GMail's reaction, or rather,
>> non-reaction)
>>
>> --
>> Hanno Böck - Independent security researcher
>> https://itsec.hboeck.de/
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CCADB Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/ccadb.org/d/msgid/public/895fe884-87c2-4da2-a05b-d80c96850061n%40ccadb.org
> <https://groups.google.com/a/ccadb.org/d/msgid/public/895fe884-87c2-4da2-a05b-d80c96850061n%40ccadb.org?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O90QQCHiOkA4k%3DfDJNyUVm-Gxh1q%3DXG6YwGGPxBvG1vjg%40mail.gmail.com.
