Reminder that halting issuance is a recommended action during an incident & trustworthy CAs will do it early, until the problem is conclusively identified and remediated.
-
Reminder that halting issuance is a recommended action during an incident & trustworthy CAs will do it early, until the problem is conclusively identified and remediated.
This happens for both for true "oh-shit" events, and "cross your t's dot your i's" compliance issues and you can't infer which bucket the incident is in just because issuance has stopped.
See
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Immediate_Actions -
Reminder that halting issuance is a recommended action during an incident & trustworthy CAs will do it early, until the problem is conclusively identified and remediated.
This happens for both for true "oh-shit" events, and "cross your t's dot your i's" compliance issues and you can't infer which bucket the incident is in just because issuance has stopped.
See
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Immediate_ActionsAlso you're renewing your certs early, based on some proportion of their total validity period right?
And using ACME, so it's automated and easy to fail-over to a standard's compliant alternative CA, right??
And using ARI so you're informed when you need to re-issue sooner than expected because of a compliance issue, right???
And back-stopping all of the above with monitoring, right????
-
Also you're renewing your certs early, based on some proportion of their total validity period right?
And using ACME, so it's automated and easy to fail-over to a standard's compliant alternative CA, right??
And using ARI so you're informed when you need to re-issue sooner than expected because of a compliance issue, right???
And back-stopping all of the above with monitoring, right????
@cpu i put certbot in the crontab and hope it doesn't blow up
-
R relay@relay.publicsquare.global shared this topic
