Alegeus, a client of DigiCert, filed a court motion to stop DigiCert from revoking their certificate. The courts granted the temporary restraining order.
There is no "update their legal work to prevent customers from legal action" that can avoid a temporary restraining order that is ordered by the courts to provide time to establish facts. Its simply how the legal process works. "they can't help but" seems unfair as the issue was the client Alegeus was unable to replace their certificates in the revocation timeline.
Further "Going through the courts", they didn't go to the courts a client of theirs did.
Digicert is absolutely not blameless. Outside of the TRO, they have failed to meet revocation windows before and yes, are likely using the TRO in this instance as a shield for that.
However the TRO itself is a concerning development that all CA's need to consider depending on their legal jurisdiction, as it could put companies in a bind of being legally ordered to not to complete something they are contractually and legally required to do within the required timeline and interrupt standard security practices in cases like this.
The TRO was filed for and granted without DigiCerts input. By the time they responded, both parties filed to vacate the TRO (3 days later). Judges I expect weigh, to the best of their abilities, the perceived harm in granting/not granting the TRO. Considering the technical literacy of our court system I expect that leaves much to be desired
Jul 30, 2024 - ORDER granting 2 Ex Parte Motion for TRO. IT IS HEREBY ORDERED that DigiCert is prohibited from revoking the security certificates for the Alegeus Websites for a period of seven (7) day
Jul 31, 2024 - NOTICE of Appearance by Jess M. Krannich on behalf of DigiCert
...
Aug 3, 2024 - DOCKET TEXT ORDER. 9 Joint Motion to Vacate 3 Order Granting Ex Parte Motion for TRO is GRANTED
Looking at that timeline, I can see why other CA forum members are asking "are you really taking this seriously?" The whole point is that such a restraining order was definitely a bad call by the judge and should absolutely have been contested immediately by any legal team that was interested in representing the security interests of the CA Browser Forum (which, ya know, members of the CA Browser Forum should do in such cases, hence why they're in the CA Browser forum). The fact that DigiCerts legal team did show up for that TRO and then did not act to try to defend their ability to secure their certs, is a bad thing. If you want to be a CA, you gotta be willing to defend your need to act in the name of security, and to defend that in a social, business, and legal context. The point of CAs in the world is not to make money, it is to provide security services. Responding with "hey, but my legal obligations in my country mean I can't always do that" is a valid explanation, but it also means that the rest of the CA Browser Forum should probably not trust you.
Any CA who believes that the courts in their country could not prevent them from revoking certificates is confused at best.
It's true that DigiCert could have refused to cooperate with Alegeus and fought the court order instead of cooperating with them to rotate the certificates ASAP. But that would have taken a lot longer than 5 days, even if they eventually won. If the CA Browser Forum has such a strong security interest in swift revocation, it's hard to see how further delaying the revocation in order to provoke a legal battle promotes that interest.
I'll point out notice of appearance doesn't mean they COULD have done anything. The TRO was granted for 7 days already.
From a strategic position, they probably saw they could work with the client and withdraw the TRO faster and cheaper than challenging the TRO in court. Its unlikely a challenge would have significantly decreased the time they were required to not act under the TRO.
They could have revoked the certificates of companies not listed in the TRO. Instead revocations for _all_ customers were delayed by 3 days over the time limit [1].
Additionally, it seems more prudent to me that they should drop Allegius as a customer than make the guy resign. The current situation seems like if an issue occurs again then DigiCert will not revoke the certs according to the timeline they committed to (24h).
They should - but only if a good lawyer points that out to the courts. Remember the courts are not experts in the technical details in question (and should not be - there are far more details that could come before the court than any human has time to learn), the job of lawyers is to quickly give them enough education to figure it out.
In "Common law" when something goes before a court in slightly different situations the second court will look at what the last one decided to see if it makes sense and if they agree. Then the third time looks at both the previous. After many many cases courts will have seen all the arguments and made decisions and so there is no need to educate the court anymore, they will just look at what was done before and decide the same thing.
Not all courts follow the "common law" above though, and I'm not clear how the other systems are different. (I've only lived in common law areas)
An answer for the civil law countries I know of: The laws tend to be more detailled to avoid the situation you describe. Also, there is still a lot of referencing old cases, but it is considered guiding, not binding.
Other comments have since suggested this was an emergency order where the CA didn't have their lawyer present. The courts said "don't do anything for a week while the real paperwork happens". I don't know the cases in question well enough to figure out if that is correct, but it seems reasonable. But also a week is not very long.
> Would a judge not consider potential harm to each party if the TRO is granted or not?
> If the CA could credibly point out they would face severe consequences for failure to revoke, could that have an impact on?
That would be an excellent reason to make sure to impose strict consequences on CAs without regard to whatever legal orders they're subject to, so that the next CA can point to those consequences when arguing against things like a TRO. "If you grant this TRO, the net effect will not be that you get what you want; the net effect will be to destroy our business and still not get what you want".
Alegeus, a client of DigiCert, filed a court motion to stop DigiCert from revoking their certificate. The courts granted the temporary restraining order.
There is no "update their legal work to prevent customers from legal action" that can avoid a temporary restraining order that is ordered by the courts to provide time to establish facts. Its simply how the legal process works. "they can't help but" seems unfair as the issue was the client Alegeus was unable to replace their certificates in the revocation timeline.
Further "Going through the courts", they didn't go to the courts a client of theirs did.
Digicert is absolutely not blameless. Outside of the TRO, they have failed to meet revocation windows before and yes, are likely using the TRO in this instance as a shield for that.
However the TRO itself is a concerning development that all CA's need to consider depending on their legal jurisdiction, as it could put companies in a bind of being legally ordered to not to complete something they are contractually and legally required to do within the required timeline and interrupt standard security practices in cases like this.