A L L E ZV I C T O I R E

@cxiao yussssss

Also you're renewing your certs early, based on some proportion of their total validity period right?

And using ACME, so it's automated and easy to fail-over to a standard's compliant alternative CA, right??

And using ARI so you're informed when you need to re-issue sooner than expected because of a compliance issue, right???

And back-stopping all of the above with monitoring, right????

Reminder that halting issuance is a recommended action during an incident & trustworthy CAs will do it early, until the problem is conclusively identified and remediated.

This happens for both for true "oh-shit" events, and "cross your t's dot your i's" compliance issues and you can't infer which bucket the incident is in just because issuance has stopped.

See
https://wiki.mozilla.org/CA/Responding_To_An_Incident#Immediate_Actions