On Thu, 29 Jan 2026 23:02:51 -0800 (PST) "'Roman Fischer' via [email protected]" <[email protected]> wrote:
> One thing to consider here is that some CAs may use commercial CDN > providers to serve some of the information mentioned. These CDNs > often also provide DDoS protection. However, the decision when some > access is considered an attack and what requests will then be blocked > or let through is typically done by the CDN/DDoS service provider. > Putting requirements with regards to e.g. not blocking based on > user-agent might be difficult to impossible to implement in this kind > of setup. I think it is entirely reasonable to ask that CAs choose service providers that don't interfer with providing basic functionality that is part of the requirements of being a CA. There's some legitimacy to DDoS protection, but you should be able to reasonably justify that you do it in a way that does not obivously generate false positives. Ultimately, if you use a CDN service that is focussing on a "browser only / we consider common non-browser clients an attack by default" scenario, I'd argue that service is simply not suitable for the job of serving CRLs. -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20260130100527.528e6a41%40hboeck.de.
