6月27日,Google的安全团队宣布将在Chrome127及更高的版本中,不再信任自2024年11月1日以后签发的Entrust SSL证书。但在2024年10月31日以前签发的证书依然会被信任,能够继续正常工作。据悉,这一决定和Mozilla在今年3月到5月间发现Entrust存在的一系列安全错误有关,Entrust在这一系列错误中未能及时提出更正意见或解决问题,导致了Google的这项决定:
EV TLS Certificate cPSuri missing
Failed to provide a preliminary incident report according to TLS BR 4.9.5
CPR was not responded to in 24 hours
Delayed revocation of EV TLS certificates with missing cPSuri
EV Certificate missing Issuer’s EV Policy OID
Delay in Updating CPS
Failure to revoke EV TLS certificates issued before CPS update
clientAuth TLS Certificates without serverAuth EKU
Delayed revocation of clientAuth TLS Certificates without serverAuth EKU
CPS typographical (text placement) error
Delayed incident report - CPS typographical (text placement) error
Not updating Problem Reporting Mechanism fields in CCADB
OCSP response signed with SHA-1
CRL non-conformance with the TLS BRs
默认情况下,Chrome127及以后的版本,在验证到以下 Entrust 根的 TLS 服务器身份验证证书(其最早签名证书时间戳 (SCT) 的日期在 2024 年 10 月 31 日之后)将不再受信任。
CN = Entrust Root Certification Authority - EC1
CN = Entrust Root Certification Authority - G2
CN = Entrust.net Certification Authority (2048)
CN = Entrust Root Certification Authority
CN = Entrust Root Certification Authority - G4
CN = AffirmTrust Commercial
CN = AffirmTrust Networking
CN = AffirmTrust Premium
CN = AffirmTrust Premium ECC
评论已关闭