Given that the error has existed for 5 years, 24 hours seems a bit draconian. Surely this is an exceptional circumstance in its own right that should apply the the entire affected customer base.
More than 83K certs from nearly 7K DigiCert customers must be swapped out now
As the DigiCert drama continues, we now have a better idea of the size and scope of the problem – with the organization's infosec boss admitting the SSL/TLS certificate revocation sweep will affect tens of thousands of its customers, some of which have warned that the short notice may have real-world safety implications and …
COMMENTS
-
-
Thursday 1st August 2024 19:37 GMT NoneSuch
The strict rules are set by the CA/Browser Forum (CABF), the governing body establishing standards for Certificate Authorities (CAs) in issuing and managing SSL/TLS certificates. To obtain a certificate for a domain, a CA must verify the domain owner through methods like email or DNS record changes. If any error occurs during this domain validation process, the CABF mandates that the issued certificate be revoked within 24 hours to safeguard website security and maintain trust in SSL/TLS certificates.
That isn't something Digicert came up with; it's the agreed standard for being a CA.
-
Thursday 1st August 2024 23:57 GMT david 12
Entrust "Ensuring Trusted Identities"
Digicert certainly (digitly certainly) saw what happened to Entrust, and doesn't want it to happen to them:
"google axes entrust" https://www.theregister.com/2024/06/28/google_axes_entrust_over_six/
Justification provided --they don't take the rules seriously enough--
-
-
-
-
Thursday 1st August 2024 04:54 GMT Pascal Monett
"We will not be able to delay revocation beyond that date and time."
Um, why ? You're the certificate authority, are you not ? It seems to me that you have the ability to do whatever with your certs, including having a bit of patience while thousands of admins and thousands more IT staff have their schedule thrown into the blender to satisfy you.
-
Thursday 1st August 2024 09:26 GMT Vincent Ballard
Re: "We will not be able to delay revocation beyond that date and time."
They're afraid that if they delay more than 24 hours, the browsers will implement official policy and remove their root certificates from the browsers' trusted list, causing all of their certificates (and not merely the 0.4% at issue) to become worthless for interactions involving anything other than wget/curl/equivalent.
-
Friday 2nd August 2024 09:43 GMT I could be a dog really
Re: "We will not be able to delay revocation beyond that date and time."
They have a set of rules to follow - read the articles and other comments.
The rules mandate that they MUST revoke "unsafe" certificates within 24 hours - so as it is, they are stretching the rules, for some customers, if the customer gives a strong enough justification. Why must they follow the rules ? Because if they don't, as in some of the other comments, the browser vendors will push out an update with that CA's root certificate removed - which spells near instant death for any site using certs from that CA, and as a result, probably not quite as instant death for the CA's business.
-
-
Thursday 1st August 2024 06:53 GMT Kevin McMurtrie
Cracked?
I'm guessing it's 24 hours because the gangs that hang out on Cloudflare, AWS, and GCP have figured out how to take advantage of the bad certs.
I don't know how much it's worth, though. Everybody's favorite credit union, Patelco, has an anonymous certificate from Let's Encrypt. Obviously lots of people don't check certificate ownership. That's fine as long as you spelled the domain name perfectly, nobody has hijacked the site's DNS, the domain name doesn't have an overdue bill, ...
-
Thursday 1st August 2024 12:48 GMT Irongut
Re: Cracked?
RTFA
24 hours is the period specified by the CA / Browser Forum who control security policy for web browsers. Mozilla, Google, MS, et al are repsonsible for this and it is good security practice.
But no, you're not interested in the article or the facts just in pushing your own raving grudge against whoever Patelco is.
-
Thursday 1st August 2024 21:06 GMT Benny Cemoli
What I would like to know is what penalties DigiCert is going to have imposed upon it for allowing these mis-validated certificates to be issued for the last five years. After all 83,267 certificates isn't a trivial thing. So will they be facing any penalty or will it just be a case of, "Oops, our bad. Won't happen again." and nothing else.Just wondering.
-
Friday 2nd August 2024 09:49 GMT Anonymous Coward
Interestingly I logged into my work laptop this morning, and no VPN connection. Plus a text to say there's a "major incident" affecting remote access. I wonder if the two are connected to the subject of the article. I can't see in our locked down view what certs are involved, but in the message log it's been saying "No valid certificates available for authentication".
As as I type, it's just connected.