One thing to consider here is that some CAs may use commercial CDN providers to serve some of the information mentioned. These CDNs often also provide DDoS protection. However, the decision when some access is considered an attack and what requests will then be blocked or let through is typically done by the CDN/DDoS service provider. Putting requirements with regards to e.g. not blocking based on user-agent might be difficult to impossible to implement in this kind of setup.
Regards Roman On Tuesday, January 20, 2026 at 11:17:17 AM UTC+1 Hanno Böck wrote: > Hi, > > On Mon, 19 Jan 2026 22:55:47 +0100 > Dexter Castor Döpping <[email protected]> wrote: > > > Recently I wrote a script to get resources hosted by CAs. For some > > CAs the requests were blocked by a WAF. > > I've been hit by this before, and I'd very much appreciate if we could > have some basic sanity rules. > > It's understandable that some form of abuse prevention takes place > (e.g., ratelimits), but I don't see how blocking certain user agents is > acceptable. It should be possible to validate certificates based on the > information in the certificate, and it should not be upon the CA to > decide which software is allowed to do this. > > While at it, I also wonder if there's an expectation to send CRLs and > Issuer certs with correct MIME types. (The correct MIME types are > application/pkix-crl for CRLs and application/pkix-cert for issuer > certificates. There are a couple of obsolete or inofficial CRL mime > types in use, e.g. application/x-x509-crl or application/x-pkcs7-crl.) > > -- > Hanno Böck - Independent security researcher > https://itsec.hboeck.de/ > https://badkeys.info/ > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/4b4b8c36-4b2a-4ae0-9137-895056bf6141n%40mozilla.org.
