Mozilla follows Google in losing trust in Entrust's TLS certificates

Mozilla has decided to distrust Entrust as a root certificate authority (CA), following Google's similar action due to ongoing compliance failures. Google initially dropped Entrust, citing a "pattern of concerning behaviors." Entrust has acknowledged these issues and expressed intentions to regain trust, but both Google and Mozilla found its responses inadequate. Mozilla's root store manager, Ben Wilson, indicated that Entrust's recent commitments were not significantly different from previous ones that had been broken. Mozilla documented 22 compliance incidents from March to May 2024, raising further concerns. Entrust's director of certificate services, Bruce Morton, expressed disappointment over Mozilla's decision but reiterated the company's commitment to an improvement plan and its partnership with SSL.com, which will allow Entrust to continue offering digital certificates as a registration authority. Mozilla will cease trusting Entrust-issued certificates after November 30, 2024, while Google will stop trusting them a month earlier. Certificates issued before these dates will remain valid, but any issued afterward will only be trusted if purchased through SSL.com via Entrust. Mozilla emphasized the need for Entrust to address the root causes of its compliance issues to restore confidence in its operations. The situation highlights the critical role of certification authorities in maintaining secure internet connections and the expectations for adherence to security and compliance standards.