On Fri, Feb 7, 2025 at 6:42 AM 'Nick France' via [email protected] <[email protected]> wrote: > > "Sectigo's acquisition deal of Entrust does not include Entrust Root's PKI" - > that is correct. No keys or certificates were transferred as part of the > agreement. > > Entrust may continue to issue certificates, and while the roots are > widely-distrusted, there's no reason they cannot continue to do this as they > see fit. > I will defer to Entrust if they wish to add comment here.
I don't think Entrust roots are widely distrusted. The DistrustAfter only works in some places, like browsers. Other projects and tooling, like Alpine and cURL, gave up trying to make it work. See: * Alpine: <https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6> * curl: <https://curl.se/mail/lib-2025-01/0019.html>, <https://github.com/curl/curl/pull/15552> I think the CA/BF handled this poorly when it used DistrustAfter to address the problem. The CA/BF introduced non-standard extensions to something that it claims is a subset or profile of RFC 5280. And I have not seen work on getting it standardized. (Corrections, please). Jeff -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAH8yC8m6nCS1NMQVLi2MmXY9-vb5XcfW%3D2BBbZCO-qB23FnyHw%40mail.gmail.com.
