As far as I can tell there's zero real world impact here, I think they just want to maintain a stellar track record for any reported bug that would affect the certificate issuance in any way.
Basically, had it been a second, a day, a month, doesn't matter - they still treated it seriously. That sort of thing goes a long way towards building trust.
The security concerns of this particular bug are essentially zero. The meta question is if there are other related bugs that may not have been caught. We should stamp out bug classes, not individual bugs.
It's a brown M&Ms sort of situation. It's a low-impact situation, but the appropriate response is to audit how the mistake was made and figure out what failed for it to slip through — which might lead to insight into other latent problems.
SteveNuts|4 years ago
Basically, had it been a second, a day, a month, doesn't matter - they still treated it seriously. That sort of thing goes a long way towards building trust.
blfr|4 years ago
The suggestion to invalidate millions of certs over a second longer validity sounds like terrible judgement.
mcpherrinm|4 years ago
unknown|4 years ago
[deleted]
pdpi|4 years ago
mweberxyz|4 years ago
unknown|4 years ago
[deleted]