I don't see an issue here, or why there is any relevance to certificate revocation lifetimes.
It looks like the TRO was granted because the provided exhibits mention nothing about DigiCerts ability and authority to revoke certificates (or, indeed, about any of the subscriber requirements to meet BR expectations, etc.). Presumably this is due to "selective" document exhibition by the complainant through including the MSA but not the attached appendices, addenda, or other components where that language presumably currently resides. Even with the granted TRO, Digicert should have revoked the certificates from all other customers within the 24 hour deadline (which did not happen). They then should have filed a delayed revocation incident, citing the above case as an "exceptional" circumstance. I would then expect their "how we will avoid this happening in the future" action items to include updating their MSA to explicitly state that Digicert can revoke certs for any time for any reason without notice, so that such "selective" information provision to a court of law is no longer possible, and to also state they will drop any customer that attempts to use legal action against them, and refuse to take on customers that have attempted legal action against other CAs in the past. All of this puts the burden of maintaining flexibility back where it should be -- on subscribers. Indeed, if anything, this incident suggests that instead of 24 hr or 5 days, the timeline should be "as soon as the list of affected certs is assembled, revoke them all." Systems that are not critical will have outages (which is OK). Systems that are critical will also have outages in the short term, which is also OK because it incentivizes hot spares, automation, lifecycle management, and other best practices to make for an agile ecosystem. Tyrel On Wednesday, July 31, 2024 at 6:56:30 PM UTC-4 Watson Ladd wrote: > > https://www.courtlistener.com/docket/68995396/alegeus-technologies-llc-v-digicert/ > > Gratuitous Warren Zevon references aside, and it still being early > days I don't think there is much to discuss yet, but it is > disconcerting. I cannot imagine an auditor receiving a similar notice > if they needed to qualify a previously unqualified opinion, despite > far more dire consequences for a company involved. > > Between this and the delays happening because of the volume of > requests we might have to rethink the realistic ability to achieve > widespread 24 hour revocations in practice. > > Sincerely, > Watson > > -- > Astra mortemque praestare gradatim > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2e1fc918-a9ec-4846-8a70-de0a52adb157n%40mozilla.org.
