Hi, On Mon, 19 Jan 2026 22:55:47 +0100 Dexter Castor Döpping <[email protected]> wrote:
> Recently I wrote a script to get resources hosted by CAs. For some > CAs the requests were blocked by a WAF. I've been hit by this before, and I'd very much appreciate if we could have some basic sanity rules. It's understandable that some form of abuse prevention takes place (e.g., ratelimits), but I don't see how blocking certain user agents is acceptable. It should be possible to validate certificates based on the information in the certificate, and it should not be upon the CA to decide which software is allowed to do this. While at it, I also wonder if there's an expectation to send CRLs and Issuer certs with correct MIME types. (The correct MIME types are application/pkix-crl for CRLs and application/pkix-cert for issuer certificates. There are a couple of obsolete or inofficial CRL mime types in use, e.g. application/x-x509-crl or application/x-pkcs7-crl.) -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20260120111710.7d9d0ef5%40hboeck.de.
