Yesterday (October 13, 2016), certain segments of the Public Key Infrastructue (PKI) world were spun into a frenzy, when a GlobalSign CA certificate appeared to have been revoked. Clearly, revoking a CA certificate is a significant event, as all certs that chain through that CA effectively become invalid.
Many news outlets reported that GlobalSign had “screwed up,” and accidentally revoked a live, non-compromised CA. GlobalSign however, put the blame back on browser implementers: https://www.globalsign.com/en/customer-revocation-error/
“As part of a planned exercise to remove some of those links, a cross-certificate linking two roots together was revoked … some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.”
So depending on who you believe, the “screw-up” was either GlobalSign’s fault, or faulty cert validation code used by browsers such as Google Chrome. In fairness to GlobalSign, we’ve certainly seen plenty of examples of past SSL/TLS implementation problems: FREAK, HEARTBLEED, and Apple’s “goto fail” bug come immediately to mind, not to mention protocol-based issues such as POODLE and DROWN. Given the relative track records, GlobalSign’s explanation actually seems quite plausible to me.
Either way, it’s just another proof point that PKI is hard.