Earlier this week, Let’s Encrypt announced that it would revoke roughly three million—2.6 percent—of its currently active certificates. Last night, however, the organization announced that it would delay the revocation of many of those certificates in the interest of Internet health.
The impact of the revocation on system administrators was and is significant due to the very short window of maintenance allowed before the revocation went into effect. Roughly thirty-six hours were available from the initial announcement to the beginning of scheduled certificate revocation. Half an hour prior to the scheduled revocations, more than one million affected certificates had still not been renewed, and Let’s Encrypt announced an additional delay to give administrators more time.
The revocations are necessary because of a bug in Let’s Encrypt’s CA (Certificate Authority) code, which allowed some domains to go unchecked for CAA (Certificate Authority Authorization) DNS record compliance. Although the vast majority of the certificates revoked posed no security risk, they were not issued in full compliance with security standards. Let’s Encrypt’s decision to rapidly revoke them all is in compliance with both the letter and spirit of security regulations.
At the time of the compliance deadline—2020-03-05 03:00 UTC, or 9pm EST last night—the organization proceeded with the revocation of more than 1.7 million certificates that had already been renewed. The remaining 1.3 million or so certificates are receiving an unspecified grace period to minimize widescale disruption to Web services using them.
It’s worth noting that the roughly 1.3 million still-unrevoked certificates pose minimal security risk. Of the three million certificates scheduled for revocation, only 445 were identified as actually having had CAA records that should have prohibited Let’s Encrypt certificate issuance—and all of those certificates have already been revoked.
The remaining certificates would have been in compliance with regulations had they actually been checked before issuance—but regulations don’t permit post-issuance validation, so “potentially valid” in this case still means “invalid, and must be revoked.”
Let’s Encrypt has given no hard deadline for the remaining certificates to be revoked, but it notes that the certificates will “leave the ecosystem relatively quickly” regardless and that it expects to be issuing more revocations as it observes affected certificates being renewed.