Entrust Certificate Distrust

Original Article ↗ Hacker News Discussion ↗

Scope of Entrust’s Problems

  • Many commenters note the technical mis-issuances were relatively minor.
  • The core issue is Entrust’s response:
    • Repeated failure to revoke misissued certs within required 5 days.
    • Continuing to issue non-compliant certs after being warned.
    • Incomplete or poor-quality incident reports and remediation plans.
    • Difficulty producing accurate lists of affected certificates.
    • Apparent inability to do mass revocations quickly, implying inadequate resourcing.
  • View: this pattern shows they cannot be trusted to handle a serious incident.

Why Distrust Now, Not Earlier

  • Some argue browsers gave Entrust “every chance” to avoid appearing heavy‑handed or “censoring the internet.”
  • Others think root programs waited until there was clear, historical evidence Entrust’s process improvement rate was inadequate.

Impact on Sites and Ecosystem

  • Many high-profile sites and payment processors reportedly use Entrust, including banks, airlines, government domains, and Cybersource.
  • Chrome is using CT-based SCT timestamps for a phased distrust to minimize breakage; existing certs work until certain dates.
  • Admins can explicitly override Chrome’s distrust, but that override is coarse (trust all / trust none), which frustrates some.

CA Business Model and Governance

  • Broad sentiment that commercial CAs are rent-seeking and exist only because browsers/OSes list them.
  • Several comments blame cost-cutting, non-technical management, and a belief they were “too big to fail.”
  • Others note Entrust has substantial non‑web‑PKI business (cards, HSMs, ID printers, BIMI), so this is reputationally severe but not existential.

Let’s Encrypt vs Traditional CAs

  • Let’s Encrypt is praised for automation, simplicity, and alignment of incentives; still subject to the same rules but has far fewer incidents.
  • Traditional CAs like Entrust mainly serve legacy/manual environments where moving to LE is politically or technically hard.

Certificate Transparency and Security

  • CT is highlighted as a major shift: Chrome/Safari and some platforms require CT-logged certs.
  • Debate on using SCT timestamps for trust decisions; some worry about log backdating, but monitoring tools now check for this.
  • CT considered a strong deterrent to covert MITM, though not foolproof.

BIMI and Logo Certificates

  • BIMI/VMC certs described by some as a “racket” or cash grab; others see value in phishing resistance and visual brand cues.
  • Trademark scope and potential logo duplication are cited as structural weaknesses.