Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
crote 3 days ago

No. The customer is violating their contract.

The whole "customer is king" doesn't apply to something as critical as PKI infrastructure, because it would compromise the safety of the entire internet. Any CA not properly applying the rules will be removed from the trust stores, so there can be no exceptions for companies who believe they are too important to adhere to the contract they signed.

luckylion 3 days ago | parent [-]

How would a CA not being able to contact some tiny customer (surely the big ones all can and do respond in less than 90 days?) compromise the safety of the entire internet?

And if the safety of the entire internet is at risk, why is 47 days days an acceptable duration for this extreme risk, but 90 days is not?

detaro 3 days ago | parent | next [-]

> surely the big ones all can and do respond in less than 90 days?

LOL. old-fashioned enterprises are the worst at "oh, no, can't do that, need months of warning to change something!", while also handling critical data. A major event in the CA space last year was a health-care company getting a court order against a CA to not revoke a cert that according to the rules for CAs the CA had to revoke (in the end they got a few days extension, everyone grumbled and the CA got told to please write their customer contracts more clearly, but the idea is out there and nobody likes CAs doing things they are not supposed to, even if through external force).

One way to nip that in the bud is making sure even you get your court order preventing the CA from doing the right thing, your certificate will expire soon anyways, so "we are too important to have working IT processes" doesn't work anymore.

brazzy 3 days ago | parent [-]

Can you de-anonymize that event for me? Wasn't able to find it given the lack of unique keywords to search for.

detaro 3 days ago | parent | next [-]

sure!

News report: https://www.heise.de/en/news/DigiCert-Customer-seeks-to-exch...

nitty-gritty bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1910322#c8

some follow-on drama: https://news.ycombinator.com/item?id=43167087

3 days ago | parent | prev [-]
[deleted]
zamadatix 2 days ago | parent | prev [-]

I have a feeling it'll eventually get down even lower. In 2010 you could pretty easily get a cert for 10 years. Then 5 years. Then 3 years. Then 2 years. then 1 year. Then 3 months. Now less than 2 months .