Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

2020-07-10 00:29

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities had issued EV certs to customers despite not being included in DigiCert's WebTrust audits - which goes against the rules for EV certs.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT.".

"In the past, ICAs were listed in audit reports based on planned usage rather than whether they were capable of issuing EV, meaning that not all TLS issuing certs were listed in the audit report. This is separate from how we pull EV data for the auditor sample, where the sample is pulled from all issued certs, regardless of chain," said Bernal.

"The result is a weird situation where all of the certs were tested against the EV requirements, but the audit report did not list the specific ICA. Because of this, we are revoking all of the end-entity EV certs and moving them to a new chain."

DigiCert only learned of the problem on July 2, and decided on Monday to throw the EV certs on the bonfire with the industry-mandated five days of notice.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/10/digicert_pulls_certs/

#audit #certificate #digicert #http #https