Internet certificates are the “badge of validity” that every Internet site needs to have. That little lock icon in the browser URL address bar is supposed to give you a warm and fuzzy feeling that all is secure, and your conversation with the web site is encrypted, secure and private. Three companies that issue certificates control over 87% of the certificate market. The rules and policies for issuing a certificate are dictated by the very active CA/B Forum.
At the beginning of July 2020, Digicert announced that it was forced to revoke 50,000 EV (Extended Validation) certificates, since they “were not properly audited.” Over 19,000 of those EV certificates belong to GÉANT Trusted Certificate Service (TCS). Some member countries had to replace over 4,200 certificates. One of the sites affected was a nuclear reactor, and one of only three reactors worldwide that produce high volumes of medical radioisotopes. Another site was one that coordinates the distribution of Covid patients within hospitals and intensive care beds. In Israel, Ben-Gurion University of the Negev had to replace 125 certificates within 5 days.
The problem is that the CA/B regulations required that all 50,000 EV certificates be revoked within 5 days. No exceptions. If a Certificate Authority like Digicert requests a slight extension, they risk the wrath of the Browser Lords who can revoke Digicert entirely from Firefox and Chrome and Opera which would bankrupt Digicert. In 2018, Symnatec was forced to sell its certificate service to Digicert after it “had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.” That was a major security breach, that warranted this drastic response. But unfortunately the CA/B views minor issues in the same light as it does major ones. Minor issues can sometimes be as harmless as misspelling the name of a province as Issy-les-Molineaux instead of Issy-les-Moulineaux or typing the “wrong” locality field as “East Oakleigh” instead of the proper name “Oakleigh East”.
The implementers of CA/B rulings often tend to be strict and draconian. Unfortunately, the CA/B forum is made up of only slightly more than 50 members, none of whom represent the views of end users – just the Certification Authorities (CAs) and browser vendors. Perhaps it is time that major end users of certificates make their voice heard in the CA/B Forum?