I couldn’t really make head or tail of it and I’m still not sure, but Google’s announcement linked to the list of incident reports that they said were being mishandled, and I picked out this one at random, and I have to say it definitely seems like they kind of have a point. Certificates were being signed with SHA-1 for about 2 years, as far as I can tell, and most of Entrust’s responses over several months of people asking them “how are you taking steps to endeavor that things like this aren’t still happening or will not happen again” was basically, thank you for concern but fuck off stop bothering me.