Let’s Encrypt changes course on certificate revocation

by
Jim Salter
from Ars Technica - All content on (#509NC)
broken-locks-800x500.jpg

Enlarge / Certificate revocation isn't normally handled with boltcutters. (credit: Jan Kalib CC BY-SA 2.0)

Earlier this week, Let's Encrypt announced that it would revoke roughly three million-2.6 percent-of its currently active certificates. Last night, however, the organization announced that it would delay the revocation of many of those certificates in the interest of Internet health.

The impact of the revocation on system administrators was and is significant due to the very short window of maintenance allowed before the revocation went into effect. Roughly thirty-six hours were available from the initial announcement to the beginning of scheduled certificate revocation. Half an hour prior to the scheduled revocations, more than one million affected certificates had still not been renewed, and Let's Encrypt announced an additional delay to give administrators more time.

The revocations are necessary because of a bug in Let's Encrypt's CA (Certificate Authority) code, which allowed some domains to go unchecked for CAA (Certificate Authority Authorization) DNS record compliance. Although the vast majority of the certificates revoked posed no security risk, they were not issued in full compliance with security standards. Let's Encrypt's decision to rapidly revoke them all is in compliance with both the letter and spirit of security regulations.

Read 4 remaining paragraphs | Comments

index?i=zOPJwDPqSeI:n2bLt2-_G4s:V_sGLiPB index?i=zOPJwDPqSeI:n2bLt2-_G4s:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments