On 2020-05-08 21:03, Wayne Thayer wrote:
It was recently reported [1] that IdenTrust experienced a multi-day OCSP
outage about two weeks ago. Other recent OCSP issues have resulted in
incident reports [3][4], so I am concerned that IdenTrust didn't report
this, and I created a bug [5] to ensure that we track the issue (assuming
the report of an extended outage is accurate).
I also created an issue [6] suggesting that Mozilla clarify expectations
for reporting CRL and OCSP outages. These services are notoriously
unreliable and I doubt that a constant barrage of reports for brief outages
would be manageable. I believe that Mozilla does expect CAs to report
"significant" outages, but there is currently no guidance to help CAs
determine when they should file a report.
Should we have minimum uptime requirements? For instance 90% for a 24
hour period and 95% per 30 days?
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
