How Does Google Chrome Make The Decision To Distrust A Certificate Authority (CA)?

In light of the decision Google Chrome made last week to distrust Entrust as a Certificate Authority (CA), this is a topic worthy of diving into. Google Chrome makes the decision to distrust a public CA based on evidence of non-compliance with industry standards and security practices. The investigation scrutinizes the CA’s certificate issuance processes and overall security practices, gathering evidence from transparency logs, forums, and public disclosures. This evidence is assessed against industry standards like the CA/Browser Forum’s Baseline Requirements, focusing on proper validation of certificate requests, operational security, and adherence to protocols.

For example, in the case of Symantec in 2018, Google found multiple instances of improper certificate issuance. Similar investigations likely led to the decision to distrust Entrust in 2024.

What role does the CA/B Forum play in this decision?

The CA/Browser (CA/B) Forum establishes the Baseline Requirements for the issuance and management of publicly trusted certificates, providing detailed guidelines and best practices for CAs to follow. These Baseline Requirements cover various aspects of certificate management, including validation processes, certificate content, cryptographic key management, and operational security controls. They are designed to ensure that CAs adhere to high standards of security and reliability, which are essential for maintaining trust in digital certificates.

The CA/B Forum’s standards serve as a benchmark for browser vendors in their decision-making process. If a CA is found to be non-compliant, the evidence gathered against the CA is measured against these standards. This helps ensure that the decision to distrust a CA is based on objective, industry accepted criteria rather than arbitrary judgments.

When a browser like Google Chrome evaluates a CA’s compliance and reliability, it heavily relies on the standards set by the CA/B Forum. The browser’s security team reviews the CA’s practices against these Baseline Requirements to determine if there are any deviations or non-compliance issues. For example, improper validation of certificate requests, weak cryptographic practices, or insufficient operational security controls would be considered serious violations of the CA/B Forum’s standards.

How are CAs held accountable to these baseline requirements?

CAs are held accountable through audits conducted by independent third parties and must regularly provide evidence of compliance with the CA/B Forum’s Baseline Requirements. Failure to meet these requirements can result in browsers distrusting the CA’s certificates, as seen with Google’s actions against Symantec and Entrust.

In the case of Symantec, Google announced in March 2017 that it would begin gradually distrusting Symantec certificates. This decision was due to a series of incidents where Symantec was found to have improperly issued numerous certificates over several years, undermining trust in its issuance practices. Symantec’s failure to address these issues led to the phased removal of trust in its certificates by major browsers, culminating in their complete distrust by early 2018.

Quickly migrate from Entrust CA to a new CA of your choice

What does this distrust decision mean to Entrust?

The decision by Google Chrome to distrust Entrust has significant and far-reaching implications for both Entrust and its customers. When a CA is distrusted, all certificates issued by that CA are no longer recognized as valid by the browser. This directly impacts the trust and security of websites and services relying on these certificates for secure communications and business transactions.

From 2021 to 2024, Entrust faced recurring issues of non-compliance, primarily involving the improper issuance of certificates without proper validation, violating the CA/B Forum’s Baseline Requirements. These lapses highlighted inadequate validation processes and operational security controls within Entrust.

Historically, Symantec experienced a similar fallout from incidents leading to their distrust by major browsers, including Google Chrome and Mozilla Firefox, which had severe consequences for their CA business. Symantec’s distrust led to a loss of trust, a requirement for widespread certificate replacement, and ultimately, the sale of their CA business to DigiCert.

For Entrust, the distrust decision necessitates immediate corrective actions to address compliance issues, enhance validation processes, and improve operational security controls. Failure to do so could result in long-term damage to their reputation and business viability, similar to what Symantec experienced.

How does it impact Entrust customers (security, compliance, and operations)?

The distrust of Entrust by Google Chrome significantly impacts their customers in several ways. The websites and applications using Entrust certificates will show security warnings such as “This site is not secure” or “Your connection is not private,” which could lead to potential vulnerabilities and loss of user trust. On compliance, the customers may face regulatory violations and audit failures if they don’t replace the distrusted certificates, risking legal and financial penalties based on the industry and geographical regulations. On the other hand, operationally, the need to rapidly replace these impacted certificates can cause service disruptions, increased operational costs, and resource intensive efforts unless contingency plans, backup CAs, and automated certificate lifecycle management are in place.

How can enterprise organizations be prepared for CA issues and compromises?

Organizations should prepare by employing a defense-in-depth strategy with Crypto-Agility to ensure layered security and resiliency against CA compromises. This approach includes backup CAs, automated tools, regular audits, continuous monitoring, and an updated incident response plan. Ensuring that systems can quickly adapt to changes in cryptographic standards and CA statuses allows for rapid certificate replacement and updates, maintaining security and trust without significant downtime. Best practices for Crypto-Agility will also enable organizations to prepare for other potentially disruptive cryptographic changes such Google’s proposal for 90-day TLS validity and Post-Quantum Cryptography.

To implement Crypto-Agility today, AppViewX can help. Request a demo today of the AVX ONE Certificate Lifecycle Management and PKI platform to learn how you can gain visibility and control of all public and private certificates.

Tags

  • CA/B Forum
  • Certificate Authority (CA)
  • crypto-agility
  • DigiCert
  • Entrust
  • Entrust Certificate Authority
  • Google Chrome
  • Google’s proposal for 90-day TLS validity
  • post-quantum cryptography

About the Author

Prasanth Sundararajan

Director - Enterprise Information Security

More From the Author →

Related Articles

Practical Advice for PQC Migration for TLS 1.3

| 12 Min Read

What You Need to Know About “Harvest-Now, Decrypt-Later” Attacks

| 6 Min Read

Post-Quantum Cryptography: Sorting Fact from Fiction

| 11 Min Read