Musings about WebPKI and Public Trust
Mozilla has collected and prepared a new page ( archive) for recent Entrust incidents. I do not know if this is a precursor of Mozilla taking any mitigating actions against Entrust’s gross negligence and active disregard for the BRs. However, I think it’s still worth reading this report and looking at what potential options the root programs have, and especially how Mozilla can lead here.
On this page we see a sticking-to-the-facts style of reporting from Mozilla about what the classification of the incidents were, and the gist of the failures we’ve seen from Entrust.
Reading this post, and thinking about the Entrust Considered Harmful series, I would argue that Entrust hasn’t reached the historical level of non-compliance that would necessitate distrust. But as I discussed in “Beyond Distrust, what can a root program do?”, there are options that the root programs can take that aren’t the nuclear option.
Entrust knows how to properly do incident response. They’re just choosing not to do so when the incident requires a large number of revocations.
/https://public-media.si-cdn.com/filer/2d/f8/2df8565b-846e-47d1-b139-ce52095fb8da/37437678176_efd04bd9e4_o_web.jpg)
