2020.02.29 Let's Encrypt CAA Rechecking Bug

Also posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1619047 On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediat

Re: CRL/OCSP on IPv6-only networks

Yes, this is known as a gap. This was discussed in the CA/Browser Forum in 2015, but there did not seem to be support from CAs to adopt. You can look in the following minutes available at CABForum.org - 2014-12-12 - 2015-01-08 - 2015-02-19 - 2015-03-05 As well as the 2016-05-25 You can find som

CRL/OCSP on IPv6-only networks

Hi, While I was connected to an IPv6-only network I noticed, that some CAs (e.g. Amazon, DigiCert, GoDaddy, QuoVadis) do not provide IPv6 on their CRL and OCSP endpoints. This means that certificate revocation does not work if you have no IPv6 or, depending on your security policy (e.g. require va

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

Hi Arvid, I wanted to follow-up, and see if you had suggestions or ideas here for appropriate next steps. Understandably, as more countries are affected, this will no doubt continue to be an issue. I think you're spot on for asking early, as you did, and I'm hoping GlobalSign (and others!) might h