> but it's hard to see any way that could be productively addressed given the back and forth in the thread

Another commenter mentioned in a sibling thread the possibility of using future-dated revocations. The CA could be mandated to publish such a revocation immediately, such that it takes effect by the 24-hour deadline. Once published, the revocations themselves should be irrevocable. This would also need to be accounted for in the CA's customer contracts.

https://news.ycombinator.com/item?id=43169867

As the comment you linked to notes, that doesn't really fix the problem so much as it ensures that the CA's legal team gets to work nights and weekends for the next year.

The legal system is almost certainly going to view future-dating and immediately publishing revocations poorly in any civil action where a customer claims harm.

It fixes the problem of a customer getting an injunction despite what the contract says. If DigiCert doesn't want to be liable for harm they should improve their performance, no try to weasel their way out of the agreements that let their business exist in the first place.

> but it's hard to see any way that could be productively addressed

It sounds to me there are things digicert could have done better, without violating the court order:

- they could have revoked all the other certs that weren't protected by the TRO. They did not.

- they could have contested the TRO sooner. But they didn't.

- Possibly, they could have given customers more warning, since they didn't notify customers until much of the 24 hours was gone

That said, IMO I don't what they did is necessarily irredeemable. But they need to come up with, and execute on, a plan to make sure something like this doesn't happen again. And threatening legal action is really not a good way to re-establish trust.

> there seems like a real, risky issue in the idea that a company's customers can use the legal system to block the company from complying with its obligations to other entities

As Digicert has repeatedly explained, this is simply how the United States legal system works. Courts have broad and indisputable power to issue temporary restraining orders, and the parties to a case must comply even if doing so violates some promise they made to a third party. (The point of the TRO is to maintain the status quo while the court figures out details like what promises have been made to who.) People in the PKI community who believe that some carefully written policy would enable CAs to reject an invalidation TRO, or convince a court that they cannot issue it, are wrong.

The reason it's never come up before is that no CA had previously attempted to enforce a widespread 24 hour revocation caused by its own error.

(I think Sectigo's argument is that Digicert did not even attempt to convince the court that it should be allowed to revoke those certificates in the mandated timeframe. If they had attempted and failed, I don't think they would be receiving criticism.)

That's their argument, yes, but it was clearly based on the incorrect belief that there's some emergency button you can press to demand that a court consider your arguments ASAP. As Digicert explained:

> The legal world does not move as fast as the demands of our CA ecosystem. Our legal approach was to work with the complainant’s legal team to get the TRO dismissed in 5 days.

The court would not have dissolved the TRO in anywhere close to 5 days without the complainant's cooperation, even if Digicert had an ironclad argument for doing so. Digicert made the right choice to get the certificates rotated as fast as possible - and I don't think Sectigo intends to argue it would be better to stand on principle even if that makes the revocation slower.

One customer filed a TRO saying "don't revoke my certs". DigiCert then said "well, I guess we can't revoke any of the certs for the 80,000+ other customers either". That's stupid, and not acceptable. Instead, revoke the other 79,999 customers and communicate to the CABF saying "we've got one holdout that we are legally prevented from acting on." DigiCert didn't do that. They're acting not on behalf of transparently representing the interests of the CA/Browser Forum, instead they're trying to save their own skin from both sides. That's not good enough.

> the incorrect belief that there's some emergency button you can press to demand that a court consider your arguments ASAP

... isn't that exactly the legal button the complainant pushed to prevent the revocation?

Should've been more specific. You can ask a court to do all kinds of things, but the individual judge who reads your filing doesn't have to (and in most cases can't) carefully analyze your arguments that day. They need time to think it over, and probably hearings where you and the other party can explain all the arguments for why certain rulings should or shouldn't be made. A contract dispute like this, where one party says they have a right to do something and the other party says they don't, is almost always going to take longer than 1 or 5 or 30 days for a court to figure out.

Temporary restraining orders are the biggest exception. If DigiCert is about to do something crazy like take down all your websites, courts are generally willing to put a temporary stop to it without understanding all the details. "Preserve the status quo" and "prevent irreparable harm" are the buzzwords.

> If DigiCert is about to do something crazy like take down all your websites, courts are generally willing to put a temporary stop to it without understanding all the details. "Preserve the status quo" and "prevent irreparable harm" are the buzzwords.

So if DigiCert's irreparable harm was great would that prevent it? Like legally requiring CAs to follow their revocation policies or pay millions in damages?

You're conflating DigiCert's argument against issuance of the TRO, with the irreparable harm the complaintant (Alegeus) is alleging will occur if the TRO is not granted.

Are there actually millions in damages being caused by delaying revocation of these certificates? Courts are generally averse to “penalty clauses” where you make up a nonsense number and call it damages. (Irreparable harm means that ordering monetary compensation can’t remediate it, so a more reasonable fee would probably not count.)

Could they not have had a clause in the contract saying “if you delay a revocation in any manner you owe us $100 million.”?

So a customer could go right ahead and get a TRO but long term it will cost them less than making sure their infrastructure can handle this rare event?

Liquidated damages are possible, but they have to have some relationship to the damages suffered, so $100 million is probably far too high. In any case, I think the complainant was correct that it was DigiCert who caused the entire scenario to happen by issuing certificates which they should have known were invalid.

I don't think I disagree with you about what courts can do. And (as shown by all the back and forth in the CAB thread, and now here), it is risky: we currently have a situation where CAs can find themselves in a position where taking court-mandated actions (or lack of actions) puts them in jeopardy with the CAB, and violating court orders puts them in jeopardy with the government.

For all the back and forth in the CAB thread, it doesn't seem we're any closer to finding an escape valve for that, which seemingly would have to come from the CAB because there isn't even really a mechanism for courts to decide not to issue TROs about cert revocation, short of somehow taking a case around this to the Supreme Court (which isn't going to happen).