It always fascinates me when this happens. Don't the CAs understand that the browser vendors can and will kill their business if they don't comply with the rules? It's not like a fine that can be ignored.
How dysfunctional does a company have to be to let this happen?
All you need is one single [cc]?.gov as your client and you are in business forever.
How? If you want to sell public certs you need Google (and apple and Microsoft) to grant permission.
Private certs are not that big a business.
after you sold a .gov then any discussion about not supporting your root means denying users access to that .gov service.
CA roots are not connected to tlds
They’re saying that once you’ve sold certs to governments, distrusting that root will deny people access to government resources. They’re merely using “.gov” as a proxy for “some government”.
Also roots can be TLD constrained, typically to ccTLD(s).
But they are very carefully not breaking anyone. If you have an entrust cert it will keep working, you can even renew it with them.
Many government websites use Entrust, and that didn’t stop this from happening. So I don’t think that this is a good theory.
None of this is a "big business". I think thirty years ago there was probably a perception that it could be a big business, it's potentially a license to print money, but sufficient incompetence got them here instead. Look at ISRG's volumes, that's the potential volume available in the Web PKI, but that's at $0, we know the resistance to even low prices is fierce.
If you asked people from the for-profit CAs about Let's Encrypt before it launched, the impression you'd get was that they're issuing a lot more certificates and this doesn't matter. Millions per day? Ha, we'd barely notice. That was all bluster, they were never doing that.
I think Apple probably had the best shot to turn this into free money. Apple's customers are very willing to pay more than something appears to cost on the basis that it's Apple so it's worth it. I think you'd struggle a lot more to undercut a $10 Apple PKI product with a free offering that's identical because Apple's customers are used to justifying why they spent more money on the same thing with the logo on it, and they are able to be completely irrational about it and it's OK - a brand rep would look unhinged if they violently attack people who point out that it's bullshit, loyal fans will get understanding or even praise.
I actually thought about 10-15 years ago that Apple was about to do this, but they didn't and once Let's Encrypt happens there's no room really. Apple does still make money off some places where they're sole issuer and get to charge arbitrarily for doing nothing, but not like they would if they'd seized the entire Web PKI.
They genuinely believe they are "too big to fail". They've got thousands of employees, they've been around for 30 years, they are a critical part of public infrastructure: surely something as trivial as a few weirdos in a mailing list couldn't instantly kill their entire business?
Stuff like this happens when upper management has zero clue about the business they are in. They believe they are in the business of selling certificates, while in reality they are in the business of selling trust. They treat things like the CA/B Forum and the various Root Programs as more like an optional networking event than the combination of judge, jury, and executioner that it actually is - with a completely predictable outcome.
Perhaps they've decided to draw inspiration from https://bugzilla.mozilla.org/show_bug.cgi?id=647959.
Thanks for this link, reading through it (and the bugs referenced in it) was a delight this afternoon.
Big Jones BBQ and Foot Massage vibes
I saw company being killed by failed backup system. One unfortunate hardware failure, bad backups and company service goes offline with no way to recover in timely manner. Big clients require big compensation, company goes bankrupt. One shell script put in crontab could have prevented that, but nobody cared enough. It was not a big company, though. But consequences of one simple overlook were dire.
Change Healthcare had a 4 month outage (Feb - June). And furthermore, didn't have functional fallback plans in place.
Which means their business continuity planning was bullshit.
The good news is this caused companies in the healthcare space (at least provider, facility, and insurer sides) to start asking more pointed BCP questions to their SaaS vendors.
Surprised no one pointed to the nature of the business as a source of this behavior.
In a non-innovative, compliance-based industry, you make money by cutting costs.
This affects the entire business, as you find managers who are effective at cutting costs and architects/engineers who will work for lower salary.
Multiply that over enough years, and we know where it leads...
Thought this reply from 3 months ago was prescient, re: options in response to a previous Entrust failure to revoke issue. https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c21
It raises an interesting point about what constitutes a historical pattern of behavior, sufficient for infering future deficiencies reliably enough to take present action.
Here, the motivation seemed to be that (a) enough history had accumulated to estimate Entrust's rate of process improvement & (b) that rate was deemed insufficient. Which seems a decent metric: if perfection is not presently achieved, then remediation progress needs to be seen.
We've seen the CEO of a CA arguing in a public forum that their 3 month trial is better than Let's Encrypt. Yes, those can be dysfunctional and can be led by people who have little idea about the business.
I’m really impressed. CAs are 100% rent-seeking businesses and their position is solely derived from having convinced browser and OS vendors to put them in a list. You’d assume their top prio would be to stay in the list.
I'm guessing very (there's plenty of people on reddit who used to work there and stated as such.)
Here's the email their CEO/President sent to everyone that uses them:
Google Chrome announced yesterday that specific public roots used to issue public certificates by Entrust will no longer be trusted by default after October 31, 2024. This decision comes as a disappointment to us as a long-term member of the CA/Browser Forum community.
To address your concerns, there have been no security implications to the events that led to this distrust event, and you can be assured that your certificates are secure. I also want to assure you that Entrust can and will be able to serve your digital certificate needs now and in the future. And, our ability to do this extends beyond the public roots covered in Google’s decision.
Additionally, there is no impact on our private certificate offerings – including our PKI, PKI as a Service, and managed PKI – nor our code signing, digital signing, and email (S/MIME and VMC) offerings.
While the announcement is disappointing, Entrust has been in the public and private digital certificate business for over 25 years and we continue to bring that expertise and capability to your use cases every day. It is our hope that you will allow us to continue to serve your needs and we stand ready to answer any questions you have regarding your ongoing needs.
Sincerely,
Todd Wilkinson President & CEO
---
My personal take: I don't see why any of their customers (such as ey.com) would want to split their CA needs across multiple suppliers.
Software developers say that we have issues in the software that needs to be fixed or updated. Managment, who has never seen one line of code in their life says "no, make new features". And then the software starts to fall.