Thought Leadership
The developer of the Firefox browser, Mozilla, has announced that it will no longer treat the certification service provider Entrust as a trusted root certification authority (CA). This decision follows a similar move by Google Chrome about a month ago.
The reasons for the withdrawal of trust are complex. Mozilla documented 22 separate incidents between March and May 2023 alone, mainly relating to delays and missed deadlines. In addition, Entrust’s responses to previous incidents from 2020 and the most recent incidents were not considered sufficient to restore the lost trust. Mozilla criticized in particular the lack of an open and clear presentation of the errors and their causes as well as a detailed and credible plan to remedy them.
The key date
The effects of this decision will be felt from November 30, 2024 will be noticeable. From this date, Mozilla will no longer classify any new certificates from Entrust as trustworthy. Certificates that have already been issued will remain valid for the time being. Google Chrome will implement this step one month earlier, from October 31, 2024, will be implemented.
Entrust expressed disappointment with the decision, but reiterated its commitment to improve. The company plans to continue as a Registration Authority (RA) in partnership with SSL.com to continue offering digital certificates to its customers. This solution will allow Entrust to remain in business by acting as a reseller for SSL.com certificates.
The decisions by Mozilla and Google underline the high demands placed on certificate authorities in the Internet ecosystem. Certificate authorities play a privileged and trusted role on the Internet, enabling encrypted connections between browsers and websites. With this enormous responsibility comes the expectation to adhere to appropriate and consensus-based security and compliance expectations.
