Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kalmarv 11 hours ago

Hopefully it's just a technical issue and not something like a key compromise. This could have disastrous effects considering how much of the web runs on LE certs these days.

Granted if it's configured properly everyone should have 30 days of leeway before having to issue new certs...

mark_round 11 hours ago | parent [-]

"We have been made aware of a potential incident and are shutting down all issuance" seems to lean towards the latter and not simply a technical issue :(

tptacek 11 hours ago | parent | next [-]

Josh Aas is on the thread. It's a compliance issue, they expect to be issuing shortly.

rvnx 11 hours ago | parent [-]

What if they get kicked out of trusted roots because non-compliant ?

wolrah 10 hours ago | parent | next [-]

You don't get kicked out of trusted roots for non-compliance, you get kicked out for continuing to knowingly issue non-compliant certs, failing to revoke non-compliant certs in a timely fashion once discovered, etc.

Pausing issuance immediately upon discovery of a compliance issue is the absolute correct response so as long as they do their followup appropriately there is absolutely zero risk of being distrusted.

rvnx 8 hours ago | parent [-]

> You don't get kicked out of trusted roots for non-compliance

Of course you do, it's the main reason CAs fix compliance issues so fast.

Symantec, WoSign, Entrust, etc repeatedly had non-compliance issues and that led to them being removed (even if fixed)

Here was not a big issue: they forgot a flag to narrow the delegation of trust (but nobody knew that a few hours ago)

Still it can be very problematic, there is a quite similar situation here https://bugzilla.mozilla.org/show_bug.cgi?id=1883843

A basic non-compliance issue, just a web link missing, but huge consequences if they don’t fix it.

Repeated non-compliance (like the Symantec) will eventually get you removed even if fixed.

The core definition of losing “trust” in someone.

Keep in mind that few hours ago, nobody knew what the violation was. Turns out it was an easy fix.

tptacek 8 hours ago | parent [-]

You didn't actually respond to what the preceding comment argued. They were just pointing out the distinction between Symantec and WoSign and ordinary compliance events.

nicolas_17 11 hours ago | parent | prev | next [-]

That's why they take incidents like this seriously and stop issuance until it's fixed. They could get kicked out of trusted roots otherwise.

nijave 10 hours ago | parent | prev [-]

Change your config to ZeroSSL or another free ACME provider?

Dylan16807 10 hours ago | parent | prev [-]

What makes you think that?