I couldn’t really make head or tail of it and I’m still not sure, but Google’s announcement linked to the list of incident reports that they said were being mishandled, and I picked out this one at random, and I have to say it definitely seems like they kind of have a point. Certificates were being signed with SHA-1 for about 2 years, as far as I can tell, and most of Entrust’s responses over several months of people asking them “how are you taking steps to endeavor that things like this aren’t still happening or will not happen again” was basically, thank you for concern but fuck off stop bothering me.
The first report I looked at was Entrust refusing to revoke certs because their clients’ manual processes would make applying reissued certificates inconvenient.
Quite fun reading, surprisingly - a mid thread revelation that they’d pulled the exact same shit 4 years ago, an attempt by Entrust to kill the issue because unattributed legal advice said they’d misreported the error. And then, just when their chutzpah seemed to be wearing everyone down, a good ‘fuck you’ from Apple forced them to revoke the certs after all.
I’m not surprised Google had enough & yanked their license to print money.
