DigiCert: Customer seeks to exchange certificates later and defends in court

The issuing company DigiCert is facing unexpected difficulties with the revocation of tens of thousands of digital certificates. After the CA (Certificate Authority) began withdrawing and reissuing around 83,000 certificates at the beginning of the week due to a formal error, it came under pressure from its customers. Various operators of critical infrastructures objected – one even obtained an injunction against DigiCert. With 20 million currently valid certificates, the company is the third-largest CA in the world.

But what happened? For several months, the random DNS entries that domain operators use to prove their ownership to the CA (domain validation) were missing the necessary underscores starting with "_". Certificates for domains verified in this way are not compliant – DigiCert had no choice but to force 6,807 customers to reissue a total of 83,267 certificates within 24 hours.

They did not like this at all. Operators of critical infrastructures in particular were simply unable to replace their certificates within a day without suffering downtime. DigiCert therefore relented after consulting browser manufacturers and extended the deadline until Saturday, August 3, 19:30 UTC (21:30 CEST). However, only companies and organizations that applied for this extension in writing benefited from the postponement; the application deadline has now expired.

German customers are also affected: As heise security has learned from a large German telecommunications company, even after the deadline extension, the hacking action is spoiling the weekend for its administrators. Extra shifts have been ordered for Saturday to exchange several thousand certificates in time.

For one major Digicert customer, Alegeus Technologies, the deadline extension did not go far enough. The healthcare company offers employee benefits administration portals for US companies and has been working with DigiCert for several years. Last Tuesday, July 30, Alegeus sued CA in a district court in the US state of Utah for breach of contract. The unexpected revocations meant that DigiCert had breached the "Master Service Agreement". At the same time, Alegeus went one step further: the company obtained an injunction postponing the certificate exchange for up to seven days. Alegeus justified this step with the unreasonable effort for itself and its customers.

Seven-day postponement by court order

Intensive negotiations then apparently began behind the scenes between Alegeus, DigiCert and the CA/Browser Forum, whose rules and regulations are binding for CA operators. On August 1, Alegeus' legal counsel then announced a preliminary agreement to the court: They were content with a seven-day postponement and would recertify all customer domains during this period. A hearing originally scheduled for the beginning of next week is therefore no longer necessary.

What does the CA/Browser Forum say?

The system of commercial web CAs is currently coming under renewed scrutiny. Google, the largest browser manufacturer, recently tightened the thumbscrews and will soon be kicking two CAs out of the Chrome browser due to continued rule violations. The rigid approach in Mountain View was probably vividly remembered by DigiCert when they noticed their underscore problem. To avoid getting into trouble with Google and the rest of the CA/Browser Forum (CA/B) – an association of the major browser manufacturers and certificate authorities –, the CA considered the reissue a lesser evil and went through with it.

Representatives of the CA/B have not yet commented on the court-ordered but non-compliant extension of the deadline. An inquiry by heise security to CA/B chairman Dimitris Zacharopoulos had not been answered by Friday afternoon.

However, the case is likely to raise eyebrows among CAs and browser manufacturers, as the US court considered a certificate revocation for technical reasons to be a breach of contract by the CA. If this legal opinion sets a precedent, certification authorities are likely to be exposed to greater risks in their business operations in future: Any revocation could lead to a lawsuit by the affected customers and at the same time bring the CA/B onto the scene.

(cku)