[dlgeek]

I doubt they just went out and did it randomly. I'd guess it was done via court order. The ACS got a court order against them that also ordered that 'internet search engines, web hosting sites, internet service providers (ISPs), domain name registrars and domain name registries cease facilitating “any or all domain names and websites through which Defendant Sci-Hub engages in unlawful access to, use, reproduction, and distribution of the ACS Marks or ACS's Copyrighted Works.”' (https://www.sciencemag.org/news/2017/11/court-demands-search...)

Alternatively, Microsoft might have had something to do with it (they're super anti-piracy, and have a contract with all the CAs that requires them to unilaterally revoke any cert at Microsoft's discretion), but I think that's far less likely than the court order.

[gruez]

>they're super anti-piracy, and have a contract with all the CAs that requires them to unilaterally revoke any cert at Microsoft's discretion

source?

[dlgeek]

https://social.technet.microsoft.com/wiki/contents/articles/...

> If Microsoft, it its sole discretion, identifies a DV Server Authentication certificate is being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.

[234213wefsdf]

This is absolutely insane, and Microsoft really has no position to make these demands. Does McDonalds have the right to get your drivers licensed revoked? (Even if you say... use the drive thru to steal mcnuggets?)

Hell no, and neither does microsoft.

[muizelaar]

Microsoft runs a root store. That gives them more leverage over the CAs than McDonalds has.

[ethbro]

I'd be curious what would happen if the "too big to fail" issuers pushed back against this.

Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...

In the broader sense, this is one downside of the shift towards Lets Encrypt and CAs being more interchangable: increased power of the root stores relative to them.

Sometimes that's good, sometimes it's evil.

[rphlx]

> Microsoft's only option is to completely drop the root cert, right? So there's no real non-nuclear option...

In small-scale disputes MS (and other browser vendors) would not have to nuke an entire large CA to get their way. In principle they could just blacklist the individual certs/names, leaving the CA's other certs alone.

That ability/implied threat probably does mean that the CAs tend to comply with MS piracy/copyright-related revocation requests, because refusing to comply would piss off MS (and possibly law enforcement) without actually stopping them from getting their way by other means.

[voltagex_]

Sidenote to this: if you want to sign a Windows driver (and on XP+, you do), you can only use Microsoft approved CAs.

[solarkraft]

Could MS not ultimately stop honoring said vendor's certificates?

[tialaramex]

Yes, in the extreme case, Microsoft would be able to issue an urgent security update whose only purpose was to remove this CA from the Schannel trust store. The effect would be that IE, Edge, Chrome and most other SSL/TLS applications on Windows ceased to trust those certs. That's obviously really drastic, but they could certainly do it. (Firefox and various Free things wouldn't be affected because even on Windows they don't use Microsoft's trust store)

[kevingrahl]

I‘m really no expert on American law but can such a broad worded verdict be legal? I would have imagined that they‘d have to name every company/person that has to comply with it.

[UncleEntity]

The last article I saw on it was saying they got tired of playing whack-a-mole so went back and the court gave them a blanket ban.

I'm sure they could challenge it if they wanted to step on to US soil which, in this case, probably isn't such a good idea.