Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday July 11 2020, @08:43PM   Printer-friendly
from the if-don't-do-audits-you-don't-have-findings-like-this dept.

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle:

Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.

"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."

[...] And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.

[...] "Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."

As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by Frosty Piss on Sunday July 12 2020, @04:50AM

    by Frosty Piss (4971) on Sunday July 12 2020, @04:50AM (#1019730)

    CertCentral, Symantec, Thawte, and GeoTrust.

    Fortunately I use Let’s Encrypt.