The Entrust thing is now some shows (SN981) old already, and I have not heard about the situation with Entrust and Threema yet. I went to the sytem-trusted credentials on my Fairphone 3+ (an Android device) to disable all Entrust CA’s. I’ve done so in the past with the infamous Honkong Post CA (it still has two entries in the list today).
However, now I can not send images nor use the web interface anymore, unless I specifically enable the G2 Root CA from Entrust. Does anyone else experience this? I can not find info about this on the web. See this screenshot:
Maybe Steve Gibson could address this in an upcoming show, as I know that he is a Threema user, albeit on the iPhone I guess. Maybe the situation there is different?
Since the trust issue has nothing to do with security, and since any certificate issued up until the first of October is and WILL REMAIN trusted for its duration, there is no reason for you to be disabling trust in Entrust’s root certificate. You should let the browser committees responsible for these things do their jobs instead of trying to do it for them.
I confirm that Threema.ch uses an Entrust certificate (see attached screenshot). But as @PHolder notes, I don’t think it’s cause for concern at this time, and I expect Threema will switch to a different certificate provider.
Thanks @PHolder for your answer, however it challenges my understanding of the role of a CA. IMHO the CA should certify that the entity that this certificate says they are, actually are them, threema.ch in this case. If I can not trust that certificate, issued by the CA, or the CA itself duly doing their work, of what use is such a certificate?
Since Google currently doubts the credibility of Entrust as CA, why should I not follow suit?
That said, I am still sure my Threema messages are secure, because they are encrypted/decrypted with other keys, but it seems that it’s not so sure anymore whether my client actually talks to threema.ch, because of this.
A CA has a number of roles and responsibilities. You trust them to generate properly signed and managed certificates that are based on strong cryptography. You trust them to follow the minimal rules for verifying who they issue certificates to and to follow the consensus rules for the validity of the issued certificates (the certificate duration and necessary revocations and other administration requirements.)
As far as I know, what Google has complained about is more on the administration side, where Entrust was not properly following the consensus rules which it, as part of the community, had voted on and agreed to. No one has claimed that the certificates they issued were using poor security.
They were also caught multiple times of issuing certificates without doing the proper checks, then failing to revoke those certificates, because “it would inconvenience our customers”!
That is the part of the admin that Google wasn’t happy with and they are being punished for it.
If they now revoke all of those invalid certificates, there is no problem trusting Entrust certificates issued up to the deadline…
