Stories
Slash Boxes
Comments

SoylentNews is people

Digicert Will Shovel Some 50,000 EV HTTPS Certificates Into the Furnace Today

posted by Fnord666 on Saturday July 11 2020, @08:43PM   Printer-friendly
from the if-don't-do-audits-you-don't-have-findings-like-this dept.

upstart writes in with an IRC submission for RandomFactor:

Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle:

Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.

"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."

[...] And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.

[...] "Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."

As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Digicert Will Shovel Some 50,000 EV HTTPS Certificates Into the Furnace Today | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by FatPhil on Monday July 13 2020, @07:31AM

    by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Monday July 13 2020, @07:31AM (#1020176) Homepage
    It's broken by design. The decision "do I trust you?" has been commuted into a string of "do I trust the entity that claims to trust you?", where the claim of trust is nothing more than "is prepared to take money from you?". How anyone ever imagined that was scalable I simply cannot fathom.

    When browsers started treating self-signed certificates as less secure than commercially acquired ones was when I realised all hope was lost. A self-signed certificate answers the question "do I trust you?" with "I trust you now if I previously trusted you", which hopefully should be tautologically true. Of course the bootstrapping is the hard part, but handing a few sheckels over to Honest Akhmed should never be considered a solution to that problem either.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3