Security News > 2020 > March > Let's Encrypt: We Won't Revoke All Certificates Right Now

Let's Encrypt: We Won't Revoke All Certificates Right Now
2020-03-06 14:18

Let's Encrypt planned to revoke more than 3 million TLS certificates on Wednesday after it discovered a bug that allowed an important security check performed during TLS issuance to be bypassed.

On March 4, we will revoke 2.6% of currently active Let's Encrypt certificates.

That process moved ahead. In just two days, more than 1.7 million certificates were reissued in just 48 hours, writes Josh Aas, executive director of the Internet Security Research Group, which runs Let's Encrypt, in a Bugzilla thread. "Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline."-Josh Aas, Let's Encrypt.

"Let's Encrypt only offers certificates with 90-day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly," Aas writes.

The decision not to revoke all of the certificates drew Let's Encrypt some flak.


News URL

https://www.inforisktoday.com/lets-encrypt-we-wont-revoke-all-certificates-right-now-a-13895