Just an FYI - I've also started a thread on the CA/Browser Forum list to see about establishing OCSP uptime requirements in the Baseline Requirements.
On Mon, May 11, 2020 at 5:45 AM Kurt Roeckx via dev-security-policy < [email protected]> wrote: > On 2020-05-08 21:03, Wayne Thayer wrote: > > It was recently reported [1] that IdenTrust experienced a multi-day OCSP > > outage about two weeks ago. Other recent OCSP issues have resulted in > > incident reports [3][4], so I am concerned that IdenTrust didn't report > > this, and I created a bug [5] to ensure that we track the issue (assuming > > the report of an extended outage is accurate). > > > > I also created an issue [6] suggesting that Mozilla clarify expectations > > for reporting CRL and OCSP outages. These services are notoriously > > unreliable and I doubt that a constant barrage of reports for brief > outages > > would be manageable. I believe that Mozilla does expect CAs to report > > "significant" outages, but there is currently no guidance to help CAs > > determine when they should file a report. > > Should we have minimum uptime requirements? For instance 90% for a 24 > hour period and 95% per 30 days? > > > Kurt > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
