Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.
A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.
"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.
"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."
We understand the number of certs set to be pulled is somewhere in the range of 50,000. For those not in the know, computers and other devices are told, typically, by their operating systems to trust certificates issued by Digicert. Rather than handle the issuing of certs all by itself, it allows intermediates, such as GeoTrust, to issue certificates on its behalf. Thus when you, say, visit a website secured by a HTTPS cert issued by GeoTrust, the browser can follow the chain back to Digicert and trust the connection is all above board. Now thousands of these certificates need to be reissued due to a bureaucratic screw-up.
And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.
'The result is a weird situation'
On Monday, Digicert VP of product security and compliance Brenda Bernal explained, via Mozilla's Bugzilla system, that the mass revocation this week was needed because intermediate certificate authorities created between August 2013 and February 2018 were incorrectly left out of its audit reports.
"In the past, ICAs were listed in audit reports based on planned usage rather than whether they were capable of issuing EV, meaning that not all TLS issuing certs were listed in the audit report. This is separate from how we pull EV data for the auditor sample, where the sample is pulled from all issued certs, regardless of chain," said Bernal.
"The result is a weird situation where all of the certs were tested against the EV requirements, but the audit report did not list the specific ICA. Because of this, we are revoking all of the end-entity EV certs and moving them to a new chain."
Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, tooMORE LIKE THIS
DigiCert only learned of the problem on July 2, and decided on Monday to throw the EV certs on the bonfire with the industry-mandated five days of notice. A plan to run a new audit is underway, and will likely take place next month.
While DigiCert was commended for taking quick action to resolve the issue, some of the customers of the impacted ICAs are less than thrilled about being given just five days of warning that they will have to replace their certs.
"I work in a major ISP and it has thrown our operations into organized chaos getting all impacted systems traced and new certs installed," a Reg reader, affected by the revocation and speaking on condition of anonymity, told us. "This is not straight forward as we interface with many third parties so we need to get their engagement and coordination."
Other customers expressed similar frustration at the short run-up to the mass revocation of tens of thousands of certs.
"Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."
As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.
Digicert had no comment at time of going to press. ®