The Lemon Fool

Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements.

Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.

Crucially, this applies to certificates whose earliest Signed Certificate Timestamp is dated after October 31, 2024. So current certs will continue to work, but new ones after October 31 won't.

Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations.

The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog.

It follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. In response, and after an initial reply that was greeted with harsh feedback from the Mozilla community, Entrust acknowledged its procedural failures, Mozilla noted, and said it was treating the feedback as a learning opportunity.

It now seems Google hasn't been as accepting of Entrust's apologetic response...