On Thu, Jan 29, 2026 at 11:02:51PM -0800, 'Roman Fischer' via [email protected] wrote: > One thing to consider here is that some CAs may use commercial CDN > providers to serve some of the information mentioned. These CDNs often also > provide DDoS protection. However, the decision when some access is > considered an attack and what requests will then be blocked or let through > is typically done by the CDN/DDoS service provider. Putting requirements > with regards to e.g. not blocking based on user-agent might be difficult to > impossible to implement in this kind of setup.
CAs choose which service providers to use. If they choose a service provider which is not capable of behaving in a manner appropriate for the service the CA requires, then the CA should choose a different service provider. If the CA does not choose a different service provider, for whatever reason, then it is reasonable that the consequences of that choice be borne by the CA, not by the community. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0d1738be-397b-4ebe-829c-78466fd5b716%40mtasv.net.
