August 1, 2024 at 08:38AM
Mozilla is set to distrust Entrust as a root certificate authority following compliance failures, and Google has already taken this step. Despite Entrust’s efforts to regain trust, both companies find the proposed plan unsatisfactory. The decision is based on a history of compliance incidents and concerns about Entrust’s ability to address root causes.
Based on the meeting notes, it is clear that both Mozilla and Google have decided to stop trusting certificates issued by Entrust. This decision was made due to a pattern of compliance failures and a lack of confidence in Entrust’s response to these incidents. Although Entrust has outlined plans to regain trust, both companies found these plans inadequate and not thought to materially change the situation for the better.
Mozilla has explicitly stated that Entrust’s proposed plan was insufficient to restore trust, and highlighted a substantial number of compliance incidents as a cause for concern. Additionally, there were concerns about the premium pricing that Entrust charged for SSL.com certs, and Mozilla will officially stop trusting certificates issued by Entrust after November 30, 2024.
Google’s decision is a month sooner than Mozilla’s, and they noted a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.
Both Mozilla and Google have emphasized the importance of adherence to security and compliance expectations and the need for tangible, measurable progress in response to incident reports. Overall, the meeting notes reflect a clear decision by both companies to no longer trust certificates issued by Entrust.