Is trust enough? Not always according to Google, at least not when it comes to the certificate authority Entrust:
"Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements."
"'Certification authorities serve a privileged and trusted role on the internet that underpin encrypted connections between browsers and websites,' Google said. 'With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.'"
"'Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly trusted CA poses to the internet ecosystem, it is our opinion that Chrome's continued trust in Entrust is no longer justified.'"
Fortunately Google is not just shutting Entrust certificate's off cold turkey. Any certificates issued before October 31, 2024 will continue to work throughout their lifespan but new certificates issues after October 31, 2024 will not be trusted.
Mozilla has seen similar issues with their own report from May:
"It follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year."