Musings about WebPKI and Public Trust
This piece is Part 2 of a series on Entrust’s historically harmful behavior as a CA. If you haven’t read Part 1 yet, you can find the link here.
Similar to Part 1, I’m using a SIRQ (Subjective Incident Response Quality) to assign some sort of number to each of these incidents.
Entrust made a decision to knowingly continue the misissuance of certificates in “ Entrust: EV TLS Certificate cPSuri missing.” I’ve been unable to understand what led them to make this decision. It was obvious to anyone who has been in the WebPKI ecosystem that a choice like that would have negative consequences for the CA. I did try to ask Entrust to explain their decision-making process about how and why they decided to do that. Unfortunately, I was unable to get a clear answer from them about this.
In this incident, Entrust issues a certificate to a private organization but mistakingly marks it as a “Non-Commercial Entity” in the subject information. Entrust does not find this problem on their own, and it is reported to them in a CPR.
/https://public-media.si-cdn.com/filer/2d/f8/2df8565b-846e-47d1-b139-ce52095fb8da/37437678176_efd04bd9e4_o_web.jpg)
