Understanding deliberate delayed revocation: a threat to trust
Deliberate delayed revocation—the intentional postponement of revoking compromised certificates—poses a severe risk to internet security and trust. This practice creates vulnerabilities, erodes confidence in the web PKI, and weakens industry standards. As a leading Certificate Authority (CA), Sectigo rejects this harmful approach, advocating for immediate revocation, transparency, and accountability. To protect the digital ecosystem, the CA community must commit to eliminating delayed revocation and ensuring a secure, trustworthy internet.
Table of Contents
Trust is the foundation of the modern internet. Every secure website, trusted email, or signed document depends on the underlying integrity of the web Public Key Infrastructure (PKI). Yet, like any ecosystem, the web PKI is only as strong as its weakest link. Among the various issues that threaten this trust, one stands out as both pervasive and preventable: deliberate delayed revocation.
This harmful practice, where compromised certificates are intentionally left valid for extended periods, has become an industry-wide scourge. It undermines security, weakens user confidence, and leaves the door open for cybercriminals.
As one of the leading Certificate Authorities (CAs), Sectigo has long recognized that deliberate delayed revocation is incompatible with the mission of protecting the public good. In this article, we’ll unpack why this practice persists, the dangers it poses, and why the CA community must take decisive action to eradicate it.
What is deliberate delayed revocation?
When a certificate is misissued, compromised, or otherwise deemed untrustworthy, the CA responsible is required to revoke it. Revocation ensures that the certificate is no longer valid and prevents bad actors from abusing it.
However, revocation isn’t always immediate. In cases of deliberate delayed revocation, some CAs choose to prioritize their convenience - or their customers’ - over the integrity of the web PKI. Instead of promptly invalidating the certificate, they delay the process to minimize customer disruptions or to avoid operational complexity.
The rationale for this practice often hinges on short-term benefits: retaining customer satisfaction, reducing support costs, or avoiding embarrassment from admitting errors. But these justifications ignore the broader implications for security and trust.
Why it’s a threat
The impact of deliberate delayed revocation extends far beyond the boundaries of the individual CA. It undermines the very trust that public CAs are tasked to protect.
- Creates a window of vulnerability: By delaying revocation, compromised certificates remain valid and exploitable. This gives attackers a window to impersonate trusted entities, steal sensitive data, or launch phishing campaigns.
- Erodes confidence in the ecosystem: Public CAs operate within a shared trust framework. When one CA fails to meet its obligations, it reflects poorly on the entire ecosystem. Users may lose confidence in secure communications altogether.
- Weakens compliance and standards: Deliberate delayed revocation sets a dangerous precedent. If CAs believe they can ignore or bend the rules for convenience, it undermines the standards that are critical to ensuring a robust web PKI.
- Invites distrust and regulatory consequences: High-profile examples of delayed revocation, such as those involving tens of thousands of certificates, have led to significant backlash. Some CAs have faced distrust and removal from browser root programs, a drastic and public failure that jeopardizes their existence.
Why CAs must act
At Sectigo, we view revocation as a moral and operational imperative. When a certificate is compromised, the clock is ticking, and we take immediate action. This isn’t always easy. It involves significant investment in automation, transparent communication with customers, and a willingness to absorb short-term inconvenience.
But the payoff is clear: a more secure, trustworthy ecosystem.
Ethical leadership demands that public CAs adhere to the highest standards, even when it’s difficult. Delayed revocation isn’t just a bad habit, it’s a betrayal of the trust placed in us as gatekeepers of the web.
A call to the CA community
The solution to this problem is clear: public CAs must commit to doing better. This starts with recognizing that deliberate delayed revocation has no place in our industry. From there, it requires investing in systems that make immediate revocation both practical and efficient.
Accountability is also essential. Browser programs and industry bodies must hold CAs to account when they fail to meet their obligations. The consequences of inaction—or worse, complacency—are simply too great.
To every CA: deliberate delayed revocation is a choice. It’s time to make a better one.
Trust must be earned
Trust is not a renewable resource. It’s painstakingly earned over years and can be lost in an instant. Deliberate delayed revocation chips away at the very trust that allows the web PKI to function.
At Sectigo, we’ve made it our mission to prioritize public good, transparency, and security. We challenge others in the CA community to join us in eradicating this harmful practice and upholding the trust that users place in us every day.
Trust is too valuable to squander. The internet deserves better. Let’s deliver.
Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!
Related posts:
Root Causes 388: What Is the WebPKI?
What is certificate revocation & when should an SSL certificate be revoked?