Comment Not everyone should use public CAs (Score 2) 293
Most people here are completely missing the point: Public CAs (CAB/Webtrust CAs) are being (mis)used for internal services or so-called "critical infrastructure" (AKA mission critical systems managed by inept vendors where changing a cert takes months).
This is in part what caused Entrust to lose their trusted status in the browsers, they bowed to customers and instead of following the rules and revoking misissued certs, they kept them valid. How much blame goes to Entrust sales for pushing this type of service to their customers and how much blames goes to the customer for using an unsuitable product I can't say, my guess would be 50/50.
In some cases the misissuance for certificates might be for extremely minor reasons that in theory should have no impact on security, sometimes the reasons are more serious, but simply requiring CAs to revoke them in all cases of missisuance is the right move as it guarantees the trust in a short timeframe, and avoids any song-and-dance routine vendor might try to throw to prolong the revocation on behalf of customers.
Of course it's not realistic to be able to rotate any certificate in a corporate network on short notice, not only for reasons of inept vendors and resulting poor tech, but also of governance (because _those_ people see it as their mission to block everything). In that case, you shouln't be using a public CA, you should have your own, or use a non-public CA as a service instead, and someone needs to asses the risk and bear responsibility for making poor choices.
There's also the long-standing practice in some sectors to use certificate pinning, which requires coordination between different people/teams/companies or even government bodies when you change the cert, and good luck getting regulatory approval during the weekend.
In case of certificate compromise, it's then the entity using the certificate who bears responsibility for the potential misuse, and someone must weigh the risks of not being able to timely rotate a certificate to the benefit of using that vendor/service/setup when using it in production.
I am sceptical that this change will lead to vendors improving their products (or enterprises choosing good products instead of those that send the best christmas presents to the purchasing department), but at least it should shift the blame for incidents the right way (and away from public CA that has no insight into how b0rked the customer's setup is).
