I completely agree that CAs remain responsible to provide secure and available certificate status information to the WebPKI ecosystem. DDoS protection is something that most CAs can't do without external service providers (mitigating TBit/s attacks is hard).And these DDoS protection are usually based on multiple signals and their internal workings change constantly. I thinks it's simply a residual risk that some clients may be wrongly blocked by DDoS mitigation to keep the service available for the majority of the ecosystem. I also agree that blocking -solely- on the user agent is not a good strategy.
Kind regards Roman On Monday, February 2, 2026 at 12:35:51 AM UTC+1 Matt Palmer wrote: On Thu, Jan 29, 2026 at 11:02:51PM -0800, 'Roman Fischer' via [email protected] wrote: > One thing to consider here is that some CAs may use commercial CDN > providers to serve some of the information mentioned. These CDNs often also > provide DDoS protection. However, the decision when some access is > considered an attack and what requests will then be blocked or let through > is typically done by the CDN/DDoS service provider. Putting requirements > with regards to e.g. not blocking based on user-agent might be difficult to > impossible to implement in this kind of setup. CAs choose which service providers to use. If they choose a service provider which is not capable of behaving in a manner appropriate for the service the CA requires, then the CA should choose a different service provider. If the CA does not choose a different service provider, for whatever reason, then it is reasonable that the consequences of that choice be borne by the CA, not by the community. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f625ccce-83d7-47e0-a974-7952d5ce8cf6n%40mozilla.org.
