Let’s Encrypt changes course on certificate revocation

Administrators are getting a little more time to replace affected certificates. …

Certificate revocation isn't normally handled with boltcutters.

Enlarge / Certificate revocation isn’t normally handled with boltcutters.

reader comments

41 with 30 posters participating, including story author

Earlier this week, Let’s Encrypt announced that it would revoke roughly three million—2.6 percent—of its currently active certificates. Last night, however, the organization announced that it would delay the revocation of many of those certificates in the interest of Internet health.

The impact of the revocation on system administrators was and is significant due to the very short window of maintenance allowed before the revocation went into effect. Roughly thirty-six hours were available from the initial announcement to the beginning of scheduled certificate revocation. Half an hour prior to the scheduled revocations, more than one million affected certificates had still not been renewed, and Let’s Encrypt announced an additional delay to give administrators more time.

The revocations are necessary because of a bug in Let’s Encrypt’s CA (Certificate Authority) code, which allowed some domains to go unchecked for CAA (Certificate Authority Authorization) DNS record compliance. Although the vast majority of the certificates revoked posed no security risk, they were not issued in full compliance with security standards. Let’s Encrypt’s decision to rapidly revoke them all is in compliance with both the letter and spirit of security regulations.

At the time of the compliance deadline—2020-03-05 03:00 UTC, or 9pm EST last night—the organization proceeded with the revocation of more than 1.7 million certificates that had already been renewed. The remaining 1.3 million or so certificates are receiving an unspecified grace period to minimize widescale disruption to Web services using them.

It’s worth

Continue reading – Article source

Similar Posts: