Conversation

Notices

1. Embed this notice
   Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 11:33:01 JST Ryan Castellucci (they/them) :nonbinary_flag:

   Entrust's CA business is being executed, in part due to this:

   https://bugzilla.mozilla.org/show_bug.cgi?id=1883843

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 11:33:47 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 11:34:57 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 13:25:49 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     • ocdtrekkie

     @ocdtrekkie Entrust epically shit the bed. The "technicalities" are Van Halen's brown M&Ms. No, they don't matter, but them being wrong means other things are bound to be utterly fucked.

   • Embed this notice
     ocdtrekkie (ocdtrekkie@mastodon.social)'s status on Saturday, 29-Jun-2024 13:25:50 JST ocdtrekkie

     in reply to

     @ryanc This exactly reads like Google and Mozilla losing their crud on a technicality to take out one of Google's competitors. The PKI folks in the root programs continue to absolutely stun and amaze.

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 13:28:43 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     • ocdtrekkie
     • Jonathan Kamens 86 47

     @jik @ocdtrekkie a lot of the stuff is technicalities with no security impact, but as I said in the other thread, a CA's entire job is to comply with that shit to the letter.

   • Embed this notice
     Jonathan Kamens 86 47 (jik@federate.social)'s status on Saturday, 29-Jun-2024 13:28:45 JST Jonathan Kamens 86 47

     in reply to

     • ocdtrekkie

     @ocdtrekkie @ryanc Wow, I had a very different reaction to reading that ticket.
     A CA that repeatedly breaks the rules in the same way for years, claiming each time that they know they screwed up and they'll do better next time, really, should not continue to be trusted. This seems fundamental to me, not a "technicality."
     And I don't see what incentive the folks at Mozilla's root program would have to help "take out one of Google's competitors."

   • Embed this notice
     ocdtrekkie (ocdtrekkie@mastodon.social)'s status on Saturday, 29-Jun-2024 13:59:38 JST ocdtrekkie

     in reply to

     • Jonathan Kamens 86 47

     @jik @ryanc Apart from some posturing by the root programs, it doesn't sound like their was any technical deficiencies on Entrust's part (when forced, they addressed the revocation promptly). They disagreed on the right approach, and Google, as a monopoly, has decided to punish them for it.

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 13:59:38 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     • ocdtrekkie
     • Jonathan Kamens 86 47

     @ocdtrekkie @jik If I were in charge of a root program I'd have distrusted Entrust a while ago.

     Their job was to conduct their affairs in a manner beyond reproach because they have the literal keys to everything.

     Instead, they fucked around.

     Now they're finding out.

   • Embed this notice
     Jonathan Kamens 86 47 (jik@federate.social)'s status on Saturday, 29-Jun-2024 13:59:39 JST Jonathan Kamens 86 47

     in reply to

     • ocdtrekkie

     @ocdtrekkie @ryanc And what about the fact that following the rules costs money and it would be inappropriate to require some CAs to make those investments while allowing others to repeatedly fail to do so?

   • Embed this notice
     Jonathan Kamens 86 47 (jik@federate.social)'s status on Saturday, 29-Jun-2024 13:59:40 JST Jonathan Kamens 86 47

     in reply to

     • ocdtrekkie

     @ocdtrekkie @ryanc Just to be clear, are you saying that the other CAs that have retained their trust status because they've been able to follow the rules Entrust has repeatedly broken are not "focused on functional, practical security that is stable enough for people to rely on"?
     Or that "As long as our priorities are correct, we shouldn't be penalized for not following all the rules that everyone else follows" is a legitimate argument?

   • Embed this notice
     ocdtrekkie (ocdtrekkie@mastodon.social)'s status on Saturday, 29-Jun-2024 13:59:41 JST ocdtrekkie

     in reply to

     @ryanc The problem is this entire exchange highlights what's wrong with PKI: Entrust demonstrates they are focused on functional, practical security that is stable enough for people to rely on. Google is looking for excuses to break everything on brown M&Ms. I know which company I think understands how to make security that actually works, and it's not the one bullying Entrust. (When Mozilla addresses their HSTS problem, they'll be worth talking about.)

   • Embed this notice
     Ryan Castellucci (they/them) :nonbinary_flag: (ryanc@infosec.exchange)'s status on Saturday, 29-Jun-2024 14:14:04 JST Ryan Castellucci (they/them) :nonbinary_flag:

     in reply to

     • Jonathan Kamens 86 47

     @jik @ocdtrekkie@mastodon.social that person is utterly mad, wtf

   • Embed this notice
     Jonathan Kamens 86 47 (jik@federate.social)'s status on Saturday, 29-Jun-2024 14:14:05 JST Jonathan Kamens 86 47

     in reply to

     • ocdtrekkie

     @ocdtrekkie @ryanc I can see you are not worth my time here. *plonk*

   • Embed this notice
     ocdtrekkie (ocdtrekkie@mastodon.social)'s status on Saturday, 29-Jun-2024 14:14:06 JST ocdtrekkie

     in reply to

     • Jonathan Kamens 86 47

     @jik @ryanc Like... you've heard about this company called Google, right? That one that's under investigation for breaking the rules in basically every single country, over and over, and straight up cheesing regulators or paying them off?

     Come on, man. Let's revoke Google first, then worry about Entrust. Oh wait, we can't, Google unilaterally controls the web.

   • Embed this notice
     ronin3510 :donor: 🛰️ (ronin3510@infosec.exchange)'s status on Saturday, 29-Jun-2024 14:57:08 JST ronin3510 :donor: 🛰️

     in reply to

     • ocdtrekkie
     • Jonathan Kamens 86 47

     @ryanc @ocdtrekkie @jik

     Curious how this will play out…

     On one hand you’re not allowed to touch a QWAC but on the other suddenly the EU is losing possibly the main QWAC provider?

     Also interesting to see how the other root programs will respond to this, and what will eventually happen in the Microsoft/Apple/Oracle/Cisco worlds - to name just a few.

   • Embed this notice
     Mr. Bitterness (wdormann@infosec.exchange)'s status on Saturday, 29-Jun-2024 22:22:20 JST Mr. Bitterness

     in reply to

     • ocdtrekkie
     • Jonathan Kamens 86 47

     @ryanc @jik @ocdtrekkie
     Wow...
     "We have not stopped issuance and we are not planning to stop issuance or to revoke certificates issued"
     (Because it will annoy out customers)
     Some time later:
     Entrust nuked from existence.