Lack of revocation information means that the issued digital certificates cannot be verified back to the issuing authority (and/or its parents) to check whether it is valid and has not been revoked. Revocation information, often a HTTP link, allows users and applications to verify whether a certificate is still considered valid. Whether a consumer checks the revocation information is often optional, but as the industry puts greater reliance on public PKI, revocation information is becoming a more important requirement.
Microsoft's removal of Digicert from its Root Certificate program marks a rare event, especially given that the CA was not maliciously compromised. All public CAs are expected to follow best practices -- and usually do.
Clearly, this is Microsoft's warning to other CAs that poor certificate issuing practices will not be tolerated. There are many other CAs that do not include revocation information or don't appropriately restrain their issued certificates using extensions. Just check the ones located in your certificate store database on your computer. It's likely you'll see a few missing the same items. You can bet those CAs are paying closer attention now.
This story, "Sloppy certificate authorities put on notice," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.