Thanks, Ben. I know this was a pretty fraught process with a lot of moving parts, and I'm glad you were able to lead us to the conclusion of it. I agree with both your analysis and the decision, but have one question:
Why was a distrust-after date selected that's different from the one announced by CRP (October 31)? It seems that aligning those dates would make it easier for site owners and others to reason about what needs to be done, and avoid situations where testing in one browser gives false confidence about the general correctness of their system. (Of course, this is also a possible issue for other root programs that haven't announced any distrust plans for Entrust, but there's little that Mozilla can do about that aspect.) Given CRP's earlier announcement, it seems quite likely that subscribers are already going to be planning to replace their certificates prior to Oct 31, so a somewhat shorter notice period for Mozilla's distrust action doesn't seem likely to disrupt anyone. (I'm not just asking because I already have a patch for an Oct-31 distrust after in my tree, I swear!) Thanks, Mike On Wed, Jul 31, 2024 at 11:01 AM 'Ben Wilson' via [email protected] <[email protected]> wrote: > Dear All, > > This email announces Mozilla's decision regarding Entrust’s recent > compliance incidents > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ>. > After careful consideration of the nature of these incidents, Entrust’s > proposal for addressing the incidents, and the community’s feedback, we > have decided to set TLS distrust-after dates for the Entrust root > certificates which are currently included in Mozilla’s Root Store. > > Mozilla previously requested > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LhTIUMFGHNw/m/uKzergzqAAAJ> > that Entrust provide a detailed report on these recent incidents and their > root causes, an evaluation of Entrust’s recent actions in light of their > previous commitments given in the aftermath of similarly serious incidents > in 2020, and a proposal for how Entrust will re-establish Mozilla’s and the > community’s trust. > > Although Entrust’s updated report made an effort to engage with these > issues, the commitments given in the report were not meaningfully different > from the previous commitments which were given in 2020 and broken in the > recent incidents. Ultimately, the proposed plan was not sufficient to > restore trust in Entrust’s operation. Re-establishing trust requires a > candid and clear accounting of failures and their root causes, a detailed > and credible plan for how they can be addressed, and concrete commitments > based on objective and externally measurable criteria. > > Additionally, we are aware that Entrust has reached an agreement with > SSL.com to act as its External Registration Authority (RA), performing > pre-issuance vetting of certificate applicants for SSL.com. We support this > arrangement, recognizing that SSL.com, as the operator of the root CA > within Mozilla’s root CA program, will be responsible for domain > validation, certificate issuance, and revocation, and ultimately, for any > incidents that may occur. > > In summary, we intend to implement a distrust-after date for TLS > certificates issued after November 30, 2024, for the following root CAs: > > CN=AffirmTrust Commercial > > CN=AffirmTrust Networking > > CN=AffirmTrust Premium > > CN=AffirmTrust Premium ECC > > CN=Entrust Root Certification Authority > > CN=Entrust Root Certification Authority - EC1 > > CN=Entrust Root Certification Authority - G2 > > CN=Entrust Root Certification Authority - G4 > > CN=Entrust.net Certification Authority (2048) > > We hope Entrust will work to address the root causes of these incidents > and so eventually re-establish confidence in its internal policies and > processes, its tooling and technology, and its commitment to the Web PKI > community. > > Sincerely, > Ben Wilson > Mozilla Root Store Manager > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjxsZy%3DgfVWyaHgW7L85MwoCDki5nN2MVRyxMqp8oNZg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZjxsZy%3DgfVWyaHgW7L85MwoCDki5nN2MVRyxMqp8oNZg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsEdnOJhaArfWH%3DmRpJnSmO2AUUn5d5OJQnYaYAhfp7hA%40mail.gmail.com.
