August 1, 2024 at 05:48AM
DigiCert is revoking thousands of certificates due to a domain validation issue. Despite notifying customers and working to delay revocations for critical services, all impacted certificates must be revoked by August 3, 2024. Some customers have pursued legal action, while experts emphasize the security significance of addressing this noncompliance promptly.
Based on the meeting notes, the key takeaways are:
1. DigiCert has been revoking thousands of certificates due to a domain validation issue, with a significant impact on 83,267 certificates and 6,807 subscribers.
2. Some customers, especially those in critical infrastructure and vital sectors such as healthcare and telecommunications, are requesting more time to reissue their certificates to prevent service interruptions.
3. DigiCert had to initially revoke some certificates within 24 hours to comply with strict CA/Browser Forum rules, but is making efforts to delay revocations under exceptional circumstances to avoid disrupting critical services.
4. The revocation deadline for all impacted certificates is set for Saturday, August 3rd, 2024, 19:30 UTC.
5. Legal action has been initiated by some customers against DigiCert to block the revocation of certificates.
6. The issue pertains to the process used by DigiCert to validate the ownership or administration of domains for TLS certificate requests, and non-compliance with CABF rules has necessitated the revocations within 24 hours.
7. A security expert, Andrew Ayer, emphasizes the security-critical nature of the incident and the risk of unauthorized certificates being issued due to the validation flaw.
Let me know if you need further information or if there are any specific actions to be taken based on these takeaways.