We are coordinating closely with Verizon’s senior leadership and they have reiterated to us that they understand the importance of addressing these issues quickly and completely. They have committed to have all issues remediated no later than September 19, 2019 and also to submit proof of the remediations to the auditor by that date. Verizon has committed to us that they are pushing to close the issues even sooner and will provide us with reports on their progress weekly, so they are openly sharing information. Verizon has stated that they are working towards a completed and clean point-in-time audit by September 19, 2019 as well. Further, Verizon is no longer issuing new certificates and had stopped issuing such certificates prior to May 1, 2018, which is the start of the audit period in scope. We also have discussed and agreed on a plan for the accelerated decommissioning of the SSL OnDemand platform, including revocation of the related CAs, by the end of January 2020, which will allow Verizon’s customers to have an orderly transition of services off of these CAs without adverse customer and end-user impact. To ensure adequate monitoring of progress, DigiCert will conduct on-site reviews of the Verizon PKI environment leading up to the final shut down date and receive a weekly status report from Verizon, effective immediately.
Regarding impact of immediate revocation, Verizon has informed us that as of September 10, it will have roughly 6,750 certificates active from these two CAs, which include Sub Alt Name including about 13,000 hosts. Roughly 750 certificates are expiring each month. Verizon is no longer issuing new certificates and had stopped issuing such certificates prior to May 1, 2018, which is the start of the audit period in scope. Due to the volume of hosts involved, replacing certificates in all hosts is a complex project, as Verizon and/or its customers would need to coordinate with the host and owner of the host, and the owner would need to generate Certificate Signing Requests, submit orders for replacement certificates, go through the required validation processes, retrieve signed certificates, and install them into each relevant host. Given the extensive efforts and coordination involved, this is not a task that can be completed in a few days, no matter how expeditiously all parties want to get this resolved.
We hope this update provides the community the level of detail that explains the situation with Verizon. Thank you.