(no title)

On such networks, certificate pinning is very common and possibly even recommended, contrary to the "Basic Requirements" and recommendations of CAs.

Failing to respect such deadlines causes penalties to the local governments, and in grave cases may even be a crime: "public service interruption" which would initiate a trial, with more fines and possibly jail time.

Thus Actalis had to choose between:

1. follow the CAs "Basic Requirements" that force CAs to quickly revoke certificates when a problem is discovered. Then most of the certificates would be revoked before the public customers managed to replace them - disrupting their operativity, risking penalties for the missed deadlines and possibly trial and jail time for "public service interruption". To avoid this, they would then need to demonstrate in a public trial that the public customers were well informed that certificates could be revoked and re-issued at any time with very short warning time, and they did everything they could to avoid the "public service interruption", both pre-emptively (when negotiating the sell of certificates and educating the customers) and re-actively (when the serial numbers vulnerability was discovered). Quite a hard path.

2. contact the customers, push them to quickly replace the compromised certificates, and revoke them only afterwards, thus avoiding service disruptions.

They chose 2. Unluckily italian public organizations are very slow, which in the end caused Actalis to miss their BR deadlines by a long shot.