Enlarge /. The revocation of certificates is usually not handled with bolt cutters.
Earlier this week, Let & # 39; s Encrypt announced that around three million – 2.6 percent – of its currently active certificates would be revoked. However, last night the organization announced that it would delay the revocation of many of these certificates in the interest of internet health.
The effects of the revocation on the system administrators were and are significant due to the very short maintenance window that was permitted before the revocation came into force. Approximately thirty-six hours were available from the first announcement to the planned cancellation of the certificate. Half an hour before the planned revocations, more than a million affected certificates have not yet been renewed, and Let & # 39; s Encrypt announced an additional delay to give administrators more time.
The revocations are required due to a bug in Let & # 39; s Encrypt's Certificate Authority (CA) code, which allowed some domains to disable compliance with the DNS records for Certificate Authority Authorization (CAA). Although the vast majority of revoked certificates were not a security risk, they have not been issued in full compliance with security standards. Encrypt's decision to quickly revoke all of them is in line with both the letter and the spirit of the security regulations.
At the time of compliance – 2020-03-05 03:00 UTC or 21:00 EST last night – the organization has revoked more than 1.7 million certificates that have already been renewed. The remaining approximately 1.3 million certificates have an undefined grace period to minimize the widespread disruption to the web services they use.
It is worth noting that the approximately 1.3 million certificates that have not yet been revoked represent a minimal security risk. Of the three million certificates that are scheduled to be revoked, only 445 have been identified as CAA records that should have prohibited Let’s Encrypt certificates from being issued – and all of these certificates have already been revoked.
The remaining certificates would have met the requirements if they had actually been checked before being issued. However, the regulations do not allow post-issue validation. Therefore, "potentially valid" in this case still means "invalid and must be revoked".
Let & # 39; s Encrypt has not set a fixed deadline for revoking the remaining certificates. However, it is pointed out that the certificates "leave the ecosystem relatively quickly", regardless of the fact that further revocation instructions are expected, since affected certificates will be renewed.