Entrust CEO pledges changes after Google’s dynamite decision

CEO blames "misinterpretation we made of CA/Browser Forum compliance requirements"

Entrust CEO pledges changes after Google’s dynamite decision
"The rules said what?!" Stock image, for illustration purposes only.

The CEO of Entrust said his company has made sweeping organisational changes in the wake of Google’s bombshell decision to block sites using its certificates – saying “we are committed to improvement” going forward.

Entrust CEO Todd Wilkinson made the comments after Google said Entrust’s “publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that… eroded confidence in its competence, reliability, and integrity as a publicly-trusted CA Owner.”

Chrome will block sites using certificates issued by Entrust from November 1, 2024 onwards, it said to industry consternation last week. 

See also: Top 10 misconfigurations: NSA checklist for CISOs flags Active Directory Certificate Services

But Entrust said it can continue to serve customers: “All Entrust TLS certificates issued through October 31, 2024, will be trusted by default by Google through their expiration date. After October 31, we will have the operational capabilities to serve customers’ certificate needs, with alternative or even partner roots if necessary” Wilkinson wrote on July 1.

Wilkinson added, controversially, that the certificate “mis-issuance” incidents at the heart of Google and Mozilla’s concerns (as expressed robustly to it via industry forums) had stemmed from “misinterpretation we made of CA/Browser Forum compliance requirements.” 

Several public bug reports visible via CA/B forums show Entrust’s own staff admitting to “human error, and insufficient process governance” as the cause of mis-issuance incidents as well as acknowledging that they failed to notify Apple and Microsoft Root Program teams of incidents.

See also: Could Chrome be a real security weapon for defenders? A new $6/user proposition has potential...

Entrust has now “made changes in our organization, processes, and policies. For example, we have moved the CA product compliance team into our global compliance and operations teams to fully leverage the more robust capabilities of this larger organization” Wilkinson wrote.

“We have instituted a cross-functional change control board and a technical change review board to catch similar issues in the future. 

“We are accelerating R&D for TLS certificate compliance and automation-related work while also improving the tracking of our public commitments and revising our public incident response practices to ensure such issues do not occur again,” the CEO wrote early this week. (Blog. FAQs)

“We respectfully ask for your patience as we work to ensure that you have no disruptions to the service you have come to expect from Entrust.”

Privately held Entrust reports revenues of close to $1 billion annually and approximately 10,000 customers globally including banks and governments. It is among the world’s largest digital certificate providers and also offers identity and cryptographic key management software.

Tomas Gustavsson, Chief PKI Officer, Keyfactor, commented: "Google's decision... will inevitably create many downstream effects on the system of trust that we rely on to do business online. It highlights the need for organization's to embrace CA and crypto-agility. Even the best CAs can and have fallen victim to human error. There is always the risk that a bad batch of certificates will be revoked or a CA will be removed from web browser trust stores. To ensure business continuity and avoid security risks, organizations need the agility to identify and replace certificates issued from one CA to another."

He added: "We recommend that IT and security leaders carefully evaluate their PKI and certificate landscape. While unfortunate, businesses will need to act quickly to identify and replace affected certificates, and this cannot be done manually. It is a wake up call for organizations that digital trust isn't static, it's always under threat, and the only way to remain resilient is by ensuring you have full visibility of all certificates, automated processes to handle management and remediation, and most importantly, the flexibility to add, migrate, or switch CAs, without disruption to business operations."