TrustCor Removed from Browser Root Stores
TrustCor is a certificate authority (CA) that had been providing digital certificates to organizations and individuals to secure their online transactions and communications. However, there were issued raised about the trustworthiness of TrustCor CA on Mozilla’s dev-security-policy mailing list. Joel Reardon, a professor at the University of Calgary, reported on the possible connections and shared ownership between TrustCor CA and a company called Measurement Systems. Measurement Systems had previously been linked to a US defense contractor and found collecting private information from mobile application users.
These concerns led to a lack of trust in TrustCor among major vendors such as Microsoft, Mozilla, and Google. The removal of TrustCor from the root stores was not due to any technical breaches, but rather the unsatisfactory responses and erosion of trust from the user agents.
This incident serves as a reminder that trust in CAs is at the discretion of the major vendors, and a CA can be removed from root stores if any one of these vendors decides not to trust it. It also highlights the difficulty in quantifying trust and the potential challenges in meeting the EU's plans to establish stronger controls over digital trust in its territories.
Originally posted on Tue Jan 17, 2023