Aside from the necessity of enforcing good security policy here, it's brutal to observe the situation Actalis was stuck in based on the thread's ongoing comments. They clearly got themselves into bad/unsustainable deals with big customers where they made promises that couldn't be fulfilled in these circumstances, so their choices were to (likely) lose those customers + harm their customers' users, or to risk getting kicked out of the root program. And if they don't play their cards right it's possible they BOTH lose their customers and get booted out of the root program eventually anyway. Not a fun situation to be in, especially because in this case it sounds like they got screwed by a bug in third-party software and not specifically due to bad internal processes.
I kind of feel for Actalis. It seems like they were caught between a rock and a hard place seeing as their customers were not/could not respond as quickly as hoped and revoking the certs could negatively impact end-users by preventing them from for example obtaining prescriptions etc. The language is dense for me but it also sounded like there was a reasonable explanation in the BR for the exception (paraphrasing: ‘negatively impacting a large swath of internet users’) but it didn’t seem to assuage the concern of Ryan. I hope the Actalis guy didn’t lose his job.
Actalis is a major Italian CA that works mainly with big banks and the public sector, like (from the bug report)
- the Tuscany Region (e.g. O=Rete Telematica Regionale Toscana, etc.)
- the Piedmont Region (e.g. O=CSI Piemonte, etc.)
- central public government (eg. O=Bank of Italy, Ministry of Transports, etc.)
- major banks (e.g. O=Unicredit S.p.A., FinecoBank, etc.)
- large private companies (e.g. O=SNAM, Terna, Wind, etc.)
- chambers of commerce
On one hand, this incident was a massive amount of work by probably thousands of people to replace all the revoked certificates. Certificates which are perfectly good for communication and do not pose any significant security risk.
On the other hand, allowing a CA to violate the BR's without pain will just encourage others to do so.
Could somebody explain to me why Mozilla (or whatever organisation is using bugzilla here) are in a position to dictate policy here?
If the majority of outstanding certificates were held by the Italian government, major banks and hospitals, what are the CA supposed to do if they're just told "No, you won't revoke the certificates until we're ready, we don't think the risk is worth it"? Further, reading a comment below on the usage of these certificates by the Italian state for mandatory reporting: it sounds like revoking could be considered a criminal offense...
This very much reads like a private entity mandating that tens if not hundreds of thousands of Euros are spent by the Italian state over a very minor security risk.
For context: This issue affected a large number of CAs because it was an issue in a widely used free CA operation software (EJBCA).
What surprises me is that people want OV certificates, since to my knowledge they are no different to DV certs in all applications...
Cases like this seem to confirm the approach LetsEncrypt took of only issuing certificates of a somewhat-short lifetime, which kind-of forces a user to fully automate the handling of certificates (monitoring expiration, taking measures to request a new cert in time, deploying the new cert,...).
The practice of issuing certificates with a (sometimes very) long lifetime, from one year and up, results in a situation where such automation is not strictly required, and complex bureaucratic processes can be put in place to replace certs, which becomes a major issue when 'emergency' revocations are necessary. I'd argue such bureaucratic processes don't even increase 'security', because in the end they rely on people performing manual operations (often with more rights granted than strictly required), whilst an automated system can be more easily vetted, tested, and locked down.