After falling down in the estimations of major browser makers Google and Mozilla, Entrust faces a lengthy fight on its hands to regain industry trust and once more issue trusted TLS certificates.

That's according to the top dogs at rival cert issuer Sectigo. The company also claims that Microsoft and Apple are likely to follow in their competitors' footsteps in distrusting certificates newly issued by Entrust in Edge and Safari respectively.

Not only would the process of regaining the trust of major browsers take years, Sectigo's CTO Nick France told El Reg, it's a feat never accomplished before. None of the 14 certificate authorities (CA) previously distrusted as public root authorities have gone on to regain their status in the CA world.

"Google's policies are stringent and clear: Once trust is lost, regaining it is exceedingly difficult," said Sectigo CEO Kevin Weiss in an address shared with The Register before publication. "Only a select few global technology companies are granted the immense privilege of being custodians of digital trust. 

"It can take from 18 months to several years to have a public root trusted by browsers. This privilege comes with a non-negotiable responsibility - one that I personally feel a public duty to uphold."

"Google didn't decide to remove Entrust from its root store on a whim. Entrust has consistently failed to meet baseline requirements for years," Weiss claimed, adding he believed the biz had spent "months" obfuscating and "refusing to deal with the community about what it was doing."

We've covered the whole Entrust fiasco a fair bit recently. First Google dropped it in June as a public root authority, primarily meaning future Chrome versions won't accept websites' HTTPS certs if they were newly issued by Entrust; Firefox maker Mozilla followed suit last week. To quickly summarize: Entrust is alleged to have failed in a number of ways in recent years.

According to Google, these allegedly included delayed and failed revocation of certificates, failing to provide incident reports, and administrative errors such as including invalid data in certificate fields.

This showed the wider industry a "pattern of concerning behaviors," as Google put it, which added that Entrust could no longer be trusted to issue security certificates as a root authority. Entrust pinned many of these issues on misinterpretations of compliance requirements.

To top it all off, at the end of July Entrust was also accused of threatening customers with the revocation of their still-valid certificates if they refused to renew per its new terms in partnership with SSL.com.

Bruce Morton, director of certificate services at Entrust, denied the accusation immediately, saying this didn't reflect its renewal policies. When pressed on the matter, his response suggested the renewal procedure depends on what licensing model was taken up by the customer.

To maintain its relevance in the CA space while it works on regaining its lost trust, Entrust partnered with SSL.com, a trusted public root, and will essentially be a reseller of SSL.com's certs with the Entrust name slapped on it, making it more a registration authority (RA) rather than a fully fledged CA.

However, the two Sectigo chiefs said Entrust's plans to continue offering certs as an RA amounts essentially to asking its customers to wait and see if it all pans out as Entrust hopes, which isn't a certainty.

"The SSL.com integration doesn't exist yet. They haven't offered a way for customers to test it or test an SSL.com certificate. It's an unknown, with no release date and no guarantee it'll work," claimed France. 

"It also assumes that the SSL.com certificates are as widely compatible as Entrust's were and that SSL.com and Entrust are 'like for like' with their certificates. They may not be."

Weiss added it remains unclear whether SSL.com will be able to handle the increased volume of customers.

France also claimed the decision to partner with SSL.com was likely one made out of limited choice. Entrust needed a CA partner that served its primary demographic, North America, and one with which it doesn't compete with its other products, such as private PKI.

Entrust's new SSL.com-issued certs come with a premium. For example, an Organization Validation Wildcard cert bought directly from SSL.com for a single year costs $299, but buying the same from Entrust will cost customers $799. France asserted that given the limited options Entrust had when selecting SSL.com to partner with, "the pricing discrepancy was probably just a risk they had to accept and deal with."

Disregarding its new plan to regain trust as a CA, Entrust's attempts to curry favor after Google dropped it in July have been described as "too little too late." Sweeping organizational changes, from leadership to internal processes, and an increase in R&D spending on automation, have come too late to convince browser makers it can do right by its customers.

The company's newly issued certs will stop working in Chrome in November, and in Firefox a month later. How the transition unfolds and how many customers choose to stay with Entrust is not yet answered, but judging by the sentiment expressed in online discussions, it's possible many customers will go their own way.

The Register approached Entrust for its say on things, and until we hear from it, we can look back at its statement responding to Mozilla distrusting it last week. At the time, a spokesperson re-upped its initial ambition to keep fighting for its CA status.

They said: "Though we are disappointed by the decision, our plans have not changed. We remain committed to serving the digital certificate needs of our customers, and also to our role as a Certificate Authority. 

"We are pleased that Mozilla endorsed our plan to continue offering our customers digital certificates by acting as a Registration Authority for TLS certificates issued by our partners at SSL.com. At the same time, we are actively and vigorously implementing an improvement plan to return to full browser acceptance." ®

https://www.theregister.com//2024/08/08/entrust_faces_years_of_groveling/