Hacker News new | ask | show | jobs
by Dylan16807 230 days ago
So what does "CA fixes the problem" look like in your head? Because they'll give you a new certificate right away. You have to install it, but you can automate that, and it's hard to imagine any way they could help that would be better than automation. What else do you want them to do? Asking them to not revoke incorrect or compromised certificates isn't good for maintaining security.
1 comments
michaelt 230 days ago
Imagine if, hypothetically speaking, the CA had given you a certificate based on a DNS-01 challenge, but when generating and validating the challenge record they'd forgotten to prefix it with an underscore. Which could have lead to a a certificate being issued to the wrong person if your website was a service like dyndns that lets users create custom subdomains.

Except (a) your website doesn't let users create custom subdomains; (b) as the certificate is now in use, you the certificate holder have demonstrated control over the web server as surely as a HTTP-01 challenge would; (c) you have accounts and contracts and payment information all confirming you are who you say you are; and (d) there is no suggestion whatsoever that the certificate was issued to the wrong person.

And you could have gotten a certificate for free from Lets Encrypt, if you had automatic certificate rotation in place - you paid $500 for a 12-month certificate because you don't.

An organisation with common sense policies might not need to revoke such a certificate at all, let alone revoke it with only hours of notice.

link
Dylan16807 230 days ago
You didn't answer my question. What would the CA fixing it look like? Your hosting example had the company fix problems, not ignore them.

And have you seen how many actual security problems CAs have refused to revoke in the last few years? Holding them to their agreements is important, even if a specific mistake isn't a security problem [for specific clients]. Letting them haggle over the security impact of every mistake is much more hassle than it's worth.

> if you had automatic certificate rotation in place - you paid $500 for a 12-month certificate because you don't

Then in this hypothetical I made a mistake and I should fix it for next time.

And I should be pretty mad at my CA for giving me an invalid certificate. Was there an SLA?

link