Hi Arabella, "Sectigo's acquisition deal of Entrust does not include Entrust Root's PKI" - that is correct. No keys or certificates were transferred as part of the agreement.
Entrust may continue to issue certificates, and while the roots are widely-distrusted, there's no reason they cannot continue to do this as they see fit. I will defer to Entrust if they wish to add comment here. Thanks, Nick On Friday, February 7, 2025 at 6:58:14 AM UTC Arabella Barks wrote: > Hello, Nick, > > As I understand it, the Sectigo's acquisition deal of Entrust does not > include Entrust Root's PKI. However, I noticed that on > https://crt.sh/?Identity=%25&iCAID=1671, Entrust's PKI hierarchy > continues to issue certificates. > > Could you please clarify whether these requests are issued by Entrust > Company or Sectigo company? And what the root caused the issuance? > > Thank you. > Ara Barks > > On Tuesday, February 4, 2025 at 12:49:07 AM UTC+8 Peter Bowen wrote: > >> On Mon, Feb 3, 2025 at 8:19 AM Mike Shaver <[email protected]> wrote: >> > On Mon, Feb 3, 2025 at 10:12 AM Bastian Blank <[email protected]> >> wrote: >> >> On Mon, Feb 03, 2025 at 12:17:27AM -0800, 'Nick France' via >> [email protected] wrote: >> >> > Sectigo has nothing to do with the brand or assets of Entrust. They >> remain >> >> > with Entrust and were not part of this acquisition, as previously >> stated. >> >> >> >> However you clearly re-use some of the systems. From the Sectigo page, >> >> it is clear that the Entrust management frontend is still in use: >> >> >> >> | Once the integration is in place later this year, you will be able >> to >> >> | order Sectigo certificates directly from Entrust, and Sectigo will >> issue >> >> | the certificates directly to you through Entrust Certificate >> Services >> >> | (ECS). >> > >> > >> > Isn't this just a basic certificate reseller setup, like Entrust had >> with SSL.com already? >> > >> > "Use our system to order their certs" is generally how it works because >> "our web front end" is the only real value that can be added by a reseller >> (other than rolodex, I suppose). >> > >> > I entirely approve of scrutiny being applied to Entrust's relationship >> with certificate issuance, but I think this matter seems pretty clearly >> settled at this point until there is any actual evidence of misuse or >> imminent risk. >> >> +1; this seems no different than what companies like NameCheap >> (https://www.namecheap.com/security/ssl-certificates/), Gandi >> (https://www.gandi.net/en-US/security), and SSLs.com >> (https://www.ssls.com/) offer. They are not CAs, they do not operate >> HSMs for the WebPKI, they do not control issuance of WebPKI >> certificates. Historically, there are multiple prior cases of a >> company that formerly operated a publicly trusted CA switching to >> become a reseller of certificates from other publicly trusted CAs. >> This seems to just be another case of that model. >> >> Thanks, >> Peter >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8769ee93-0a9d-44c5-a93c-3c3b1ba3e1bdn%40mozilla.org.
