[makomk]

Oh, this is nothing. A while back the browser vendors decided that since underscores weren't technically allowed in subdomain names, every CA who'd issued such certificates needed to revoke them all. It turned out that some of those certificates weren't terribly easy to replace. In particular, a whole bunch were in use by a health insurance enrollment system that was right in the middle of the main enrollment period and because of that could only receive changes that were absolutely essential. So the CA ended up missing the deadline to revoke them by a few months in order to keep this all working. The annointed enforcers of the CA rules were, of course, utterly pissed that their underscore pedanticism wasn't considered important enough to risk people losing access to healthcare for, pointing out that they could certainly deploy a fix if there was some critical security issue so why couldn't they do it for this?