(cache)Two certificate authorities booted from the good graces of Chrome

Inherent risk

“Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” members of the Chrome security team wrote Tuesday. “When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

According to Ryan Hurst, a researcher with over two decades of experience working with certificate authorities, such certificate distrust events occur about once every 15 months. The reasons for the revocations vary widely.

Hurst provided the following graph tracking the frequency of reasons for past events:

Pie chart showing reasons for distrust — Data from Ryan Hurst Credit: Ars Technica

Google cited no specific incidents. Hurst, however, said past offenses included:

Netlock failing to disclose an intermediate CA Certificate to the Common CA Database over a span of more than one year.
Netlock failing to revoke a misissued certificate.
Netlock failing to provide mandated weekly updates concerning a security incident.
Chunghwa Telecom delaying revocation of a misissued certificate.
Chunghwa Telecom misissuing 247 certificates with incorrect subject domain name structures.

Chrome will stop trusting all certificates issued by Chunghwa Telecom and Netlock after July 31. Certificates issued after that date will, by default, display an error page on Chrome. The delay is designed to give those organizations' customers time to find new certificate authorities. Representatives from both organizations didn't respond to emails requesting comment.

Two certificate authorities booted from the good graces of Chrome

Ars Video

How The Callisto Protocol's Gameplay Was Perfected Months Before Release

Inherent risk