Podcast
Root Causes 458: Apple Extends Entrust Distrust to SMIME and VMC
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
January 19, 2025
Apple has added itself to the Entrust distrust and has extended this distrust to S/MIME and VMC. We explain.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanWe have been tracking very big news. This in 2024 is the Entrust distrust. And obviously, Chrome led this off with the original distrust announcement, which more or less sealed the fate for Entrust TLS. Mozilla joined on, which was important, because the more distrust events there are, the harder it is eventually to come back. Now, we have seen motion from both Apple and Microsoft on this issue as well.
Jason SorokoInteresting. So that's an update, fairly recent.Tim CallanYes, very much so. So Apple came out with their 15.2 OS update and included with that is a note stating that there is an Entrust distrust as of November 15, 2024. That's in the past. So it appears, if we understand the note correctly, that every certificate probably starting on, or perhaps starting the next day on the 16th, that's issued from these Entrust roots will be treated as distrusted in the Apple stack. Now you might say, okay, well, who cares, because at this point, it's already been distrusted by Chrome and they're not going to be any certs anyway, or if you are getting a cert, it's not going to work and who cares. But what's special and interesting about the Apple distrust is Apple, unlike Chrome, is an email client as well, and so the Apple distrust is not only for TLS, but it's also for S/MIME. It's also for VMC, Verified Mark Certificates, and for time stamping.
Jason SorokoSo this is an expanded scope of the distrust.Tim CallanIt is an expanded scope of the distrust. So you and I speculated about this. But there was no firm conclusion about what was going to happen. We did speculate that the distrust might extend S/MIME. I didn't actually expect it to extend to VMC. Based on the Apple notification, it appears that it has touched both of those other certificate types as well. Now we go back to the November 15 thing. Why does this matter? Well, what if I got an S/MIME certificate from Entrust on November 16 believing that it would work and seeing it work in production. Now, it may be that suddenly, a month later, it stops working.
Jason SorokoLet me get you straight, Tim, because you're not talking about somebody who procured a certificate on the 16th. What's the lifespan? A year? So you're talking about people who procured - -Tim CallanActually two years for an S/MIME.Jason SorokoSo somebody who procured it two years ago.Tim CallanNo. Let me clarify. It's the same as the other distrusts, which is this is as of the issue date. If I purchased a cert and it was issued to me on November 14, 2024, it will work for its full lifespan. However, if I purchased something on November 16, 2024, according to this update, it won't work at all in the Apple stack.Jason SorokoThen I take everything back I just said. That's wild.Tim CallanThat's pretty wild, because it would have been working. I could have bought it on November 16, put it in my email, opened it on my iPhone or my MacBook, gotten a proper signed email with no distrust warnings, no technical problems, and been of the belief that that was working and then when the 15.2 release rolls around, apparently it will stop working.Jason SorokoEvery one of the distrust statements that I've read, if you bought something, the two days before the distrust event, I mean your grandfathered, that certificate has a lifespan that will be trusted for - -Tim CallanThat is true in the Chrome case. That is true in the Mozilla case. The dates are different, but the principles are true. And that's true in the Apple case. What's unusual, and so same for TLS and S/MIME and VMC. What's different though, in the Apple case is that the date that was announced as the line of demarcation for the distrust was prior to the announcement. What that does is that leaves this gap of approaching a month, nearly a month, where you could very well have obtained a cert. The cert was working. You knew it was working, confirmed it was working, believed it was working, and now, according to the statement, it appears that the cert will stop working.Jason SorokoSo I'm trying to wrap my head around it. You’ve now explained it perfectly.Tim CallanIt’s very unusual.Jason SorokoIt's very much unlike the other distrust statements.Tim CallanIt is unusual. And for TLS, if it was just for TLS, I would say, who really cares. As of November 12, it wasn't working in Chrome anyway. That means that for any public facing use case, it's essentially useless, and presumably nobody's using these if they can even get them. So who cares. That would be a who cares. The reason it's not a who cares is that up until this distrust event, the S/MIME and VMC certificates had been unaffected, and because they had been unaffected, presumably they were still in use.That's an interesting one. I have a note in to contacts of mine at Apple trying to confirm that my understanding of this is correct, because I'm just going off what I'm reading in their notification. We may come back if this demands correction, we'll come back with an update episode to correct it. That is what the notification says, and that's my interpretation of what I believe is going on here.
Then the other one connected to that is that there is a draft of a root program update from Microsoft. Now it's in draft form. They're not done until they come out of draft, so they could change it. But the draft of the root program update in Microsoft also distrusts and trusts TLS. So assuming that that goes through and becomes reality, then at that point, it will be a clean sweep. All four of the major root programs will have done the distrust.
Jason SorokoThe door finally closed.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
