DigiCert: Underscores - Discover
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: jeremy.rowley, Assigned: brenda.bernal)
Details
(Whiteboard: [ca-compliance] [ov-misissuance])
Comment 1•6 years ago
|
||
Updated•6 years ago
|
Comment 2•6 years ago
|
||
Updated•6 years ago
|
Reporter | ||
Comment 3•6 years ago
|
||
Based on the conversation on the forum, the post from Wayne, and instruction from Google, our understanding is there is no exception or extension possible and the expectation is that all CAs will revoke the certificates on the date required by the BRs. We hope that the same rules/penalties/expectations will be applied to those CAs who fail to revoke on the required date. Thank you for the discussion. Although we were hoping for more compassionate results, we do appreciate the feedback and clarification on expectations.
Reporter | ||
Comment 4•6 years ago
|
||
Seems there was a mis-communication on the intent of the discussions. We will post an update answering Ryan's questions tomorrow. Please ignore my previous post. Apologies for the confusion.
Assignee | ||
Comment 5•6 years ago
|
||
The following certs from the above list posted by Jeremy has been replaced and will be revoked (crt.sh links followed by serial no):
https://crt.sh/?id=1045077703 05A885B7DA75337B716752211CAD0D2F
https://crt.sh/?id=1045077707 07F907423EBD4E45C28A2FE12EE3657A
https://crt.sh/?id=483157170 09A173971935496B7C0F22E9D17093EF
https://crt.sh/?id=483155735 0166A67ACCFF5FD813681A550DCB125E
https://crt.sh/?id=483154636 0314C43C3C36B079361BA1F68A5C057A
https://crt.sh/?id=328734985 098F51500239A0702004AEB710BDB009
https://crt.sh/?id=328616952 0391E231A3F86D70DA56E942AF399C94
https://crt.sh/?id=328734617 0AE2FE1F5707241513275D4376473014
https://crt.sh/?id=1045077708 0F3E6B7FE044159412591FCAB0767E24
https://crt.sh/?id=1045077719 08313EFDB2F6EEE79FB1088DCEBA47B3
https://crt.sh/?id=1045077716 075CF71BE294C8AF8AB4B653AF9B1CC1
https://crt.sh/?id=1045077714 01C7E0272B7C1234E243F7D0F5C4F2E6
All other certs originally listed above require an extension of time, by no later than February 14, 2019 to complete revocations.
As requested, here is our response to 7) List of steps CA is taking to resolve the situation and ensure it will not be repeated.
Digicert will improve flow and pace of communication, and ensure all customers are aware that the CPS and other documents specify that timely revocation is possible once ballots take effect. It is our contractual right to revoke. Because of the timing of this revocation (during when most of our customers have their IT Standard Code Freeze policy is in effect), we have had to weigh the end user risks and impact, and request an extension of time before revocation. We will ensure that our end users are clear that it is our responsibility to execute revocations based on policy changes as specified in our agreements.
In this case, the complexity of change in the customer's environment (3rd party dependencies), the black out period and number of certs to coordinate replacements contributed to the need for an extension of time to replace / revoke.
Comment 6•6 years ago
|
||
Jeremy: Can you confirm whether an incident occurred and ensure that all of the details of affected certs are accurate?
Assignee | ||
Comment 7•6 years ago
|
||
Hi Ryan, I will be responding to provide updates on the underscore incidents. I can confirm that an incident has occurred and the details provided are accurate to the best of our knowledge. Our planned extension to revoke the remaining certificates (listed above) is 14-February-2019. We will provide periodic updates as progress is made.
Updated•6 years ago
|
Assignee | ||
Comment 8•6 years ago
|
||
Update: All remaining underscore certs for this customer has been revoked as of today (14-Feb-2019).
Comment 9•6 years ago
|
||
Thanks for the update, Brenda.
I'm marking this matter as Resolved.
Updated•2 years ago
|
Updated•2 years ago
|
Description
•