[cjbprime]

(I think Sectigo's argument is that Digicert did not even attempt to convince the court that it should be allowed to revoke those certificates in the mandated timeframe. If they had attempted and failed, I don't think they would be receiving criticism.)

[SpicyLemonZest]

That's their argument, yes, but it was clearly based on the incorrect belief that there's some emergency button you can press to demand that a court consider your arguments ASAP. As Digicert explained:

> The legal world does not move as fast as the demands of our CA ecosystem. Our legal approach was to work with the complainant’s legal team to get the TRO dismissed in 5 days.

The court would not have dissolved the TRO in anywhere close to 5 days without the complainant's cooperation, even if Digicert had an ironclad argument for doing so. Digicert made the right choice to get the certificates rotated as fast as possible - and I don't think Sectigo intends to argue it would be better to stand on principle even if that makes the revocation slower.

[lelandbatey]

One customer filed a TRO saying "don't revoke my certs". DigiCert then said "well, I guess we can't revoke any of the certs for the 80,000+ other customers either". That's stupid, and not acceptable. Instead, revoke the other 79,999 customers and communicate to the CABF saying "we've got one holdout that we are legally prevented from acting on." DigiCert didn't do that. They're acting not on behalf of transparently representing the interests of the CA/Browser Forum, instead they're trying to save their own skin from both sides. That's not good enough.

[cjbprime]

> the incorrect belief that there's some emergency button you can press to demand that a court consider your arguments ASAP

... isn't that exactly the legal button the complainant pushed to prevent the revocation?

[SpicyLemonZest]

Should've been more specific. You can ask a court to do all kinds of things, but the individual judge who reads your filing doesn't have to (and in most cases can't) carefully analyze your arguments that day. They need time to think it over, and probably hearings where you and the other party can explain all the arguments for why certain rulings should or shouldn't be made. A contract dispute like this, where one party says they have a right to do something and the other party says they don't, is almost always going to take longer than 1 or 5 or 30 days for a court to figure out.

Temporary restraining orders are the biggest exception. If DigiCert is about to do something crazy like take down all your websites, courts are generally willing to put a temporary stop to it without understanding all the details. "Preserve the status quo" and "prevent irreparable harm" are the buzzwords.

[darkarmani]

> If DigiCert is about to do something crazy like take down all your websites, courts are generally willing to put a temporary stop to it without understanding all the details. "Preserve the status quo" and "prevent irreparable harm" are the buzzwords.

So if DigiCert's irreparable harm was great would that prevent it? Like legally requiring CAs to follow their revocation policies or pay millions in damages?

[nickburns]

You're conflating DigiCert's argument against issuance of the TRO, with the irreparable harm the complaintant (Alegeus) is alleging will occur if the TRO is not granted.

[SpicyLemonZest]

Are there actually millions in damages being caused by delaying revocation of these certificates? Courts are generally averse to “penalty clauses” where you make up a nonsense number and call it damages. (Irreparable harm means that ordering monetary compensation can’t remediate it, so a more reasonable fee would probably not count.)

[teruakohatu]

Could they not have had a clause in the contract saying “if you delay a revocation in any manner you owe us $100 million.”?

So a customer could go right ahead and get a TRO but long term it will cost them less than making sure their infrastructure can handle this rare event?

[SpicyLemonZest]

Liquidated damages are possible, but they have to have some relationship to the damages suffered, so $100 million is probably far too high. In any case, I think the complainant was correct that it was DigiCert who caused the entire scenario to happen by issuing certificates which they should have known were invalid.