Digicert revoking certain certs failing CNAME validation
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins. On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
Luckily it seems my org has since mitigated this, but it would be interesting to know the broader impacts/who is broadly impacted. On Tue, Jul 30, 2024 at 12:20 PM Tom Beecher <beecher@beecher.cc> wrote:
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins.
On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
I have not noticed any revocation yet for my affected certificates. Has anyone had their affected certificates revoked yet? On Tue, Jul 30, 2024 at 12:35 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Luckily it seems my org has since mitigated this, but it would be interesting to know the broader impacts/who is broadly impacted.
On Tue, Jul 30, 2024 at 12:20 PM Tom Beecher <beecher@beecher.cc> wrote:
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins.
On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
Actually it looks like they have updated their incident page ( https://status.digicert.com/incidents/3sccz3v31lc9) with a new revocation date depending on if you get an exception. Also more details can be found here(https://bugzilla.mozilla.org/show_bug.cgi?id=1910322#c5). On Tue, Jul 30, 2024 at 12:45 PM Peter Fisher <mail@phyn3t.com> wrote:
I have not noticed any revocation yet for my affected certificates. Has anyone had their affected certificates revoked yet?
On Tue, Jul 30, 2024 at 12:35 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Luckily it seems my org has since mitigated this, but it would be interesting to know the broader impacts/who is broadly impacted.
On Tue, Jul 30, 2024 at 12:20 PM Tom Beecher <beecher@beecher.cc> wrote:
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins.
On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
Not shocked. At least one company got a TRO preventing the 24h revocation. Honestly I think it's the right thing anyway. It doesn't make a ton of sense to punish everyone else because the CA itself screwed up and *created* a circumstance that happens to meet one of the 24h / no extension conditions. On Wed, Jul 31, 2024 at 12:14 AM Peter Fisher <mail@phyn3t.com> wrote:
Actually it looks like they have updated their incident page ( https://status.digicert.com/incidents/3sccz3v31lc9) with a new revocation date depending on if you get an exception. Also more details can be found here(https://bugzilla.mozilla.org/show_bug.cgi?id=1910322#c5).
On Tue, Jul 30, 2024 at 12:45 PM Peter Fisher <mail@phyn3t.com> wrote:
I have not noticed any revocation yet for my affected certificates. Has anyone had their affected certificates revoked yet?
On Tue, Jul 30, 2024 at 12:35 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Luckily it seems my org has since mitigated this, but it would be interesting to know the broader impacts/who is broadly impacted.
On Tue, Jul 30, 2024 at 12:20 PM Tom Beecher <beecher@beecher.cc> wrote:
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins.
On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
On 31/07/2024 7:14, Peter Fisher wrote: These short and immediate revocations as well as other issues will keep happening since the CA/B has no end user representation. See my blog post from 4 years ago: https://www.iucc.ac.il/en/blog/internet-certificates/ Regards, Hank
Actually it looks like they have updated their incident page (https://status.digicert.com/incidents/3sccz3v31lc9) with a new revocation date depending on if you get an exception. Also more details can be found here(https://bugzilla.mozilla.org/show_bug.cgi?id=1910322#c5).
On Tue, Jul 30, 2024 at 12:45 PM Peter Fisher <mail@phyn3t.com> wrote:
I have not noticed any revocation yet for my affected certificates. Has anyone had their affected certificates revoked yet?
On Tue, Jul 30, 2024 at 12:35 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Luckily it seems my org has since mitigated this, but it would be interesting to know the broader impacts/who is broadly impacted.
On Tue, Jul 30, 2024 at 12:20 PM Tom Beecher <beecher@beecher.cc> wrote:
If you're only getting this now, you're probably in trouble, because they're revoking affected certs in about 15 mins.
On Tue, Jul 30, 2024 at 2:53 PM Innocent Obi <innocent.obijr@gmail.com> wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
Affects 83,267 certs impacting 6,807 Digicert subscribers. Less than 0.4% Digicert Domain Validated (DV) certs. As far as I know, the major browser vendors no longer show any user visible distinction between different types of certificate issuance validation. UI testing found users didn't understand what the differences meant. On Tue, 30 Jul 2024, Innocent Obi wrote:
Just in-case this hasn't made its way around: https://www.digicert.com/support/certificate-revocation-incident.
participants (5)
-
Hank Nussbacher
-
Innocent Obi
-
Peter Fisher
-
Sean Donelan
-
Tom Beecher