Comments (11)
jsha
commented on May 17, 2024
Should have pasted in the full text:
Verification against the Denied List
In accordance with the CA/B Forum Baseline Requirements, the CA maintains an internal database of all previously revoked DV-SSL Certificates and previously rejected certificate requests due to suspected phishing or other fraudulent usage or concerns. The CA uses this information to identify subsequent suspicious certificate requests. DV-SSL applications that cannot pass this review will not be issued a DV-SSL Certificate. If the DV-SSL Certificate does not pass review, it will be added to a list of previously denied applications and kept for verification purposes of future DV-SSL Certificate applications. If a new request for a previously denied DV-SSL Certificate is made, the application is the application is rejected immediately by the CA, which notifies the ACME client of the rejection. The instance is added to the internal database of DV-SSL denied lists.
https://letsencrypt.org/ISRG-CPS-Draft-May-5-2015.pdf
from boulder.
jcjones
commented on May 17, 2024
Merged PR 185.
from boulder.
jcjones
commented on May 17, 2024
We should probably add a utility to append to this DB, at some point.
from boulder.
jsha
commented on May 17, 2024
Filed at #198.
from boulder.
jsha
commented on May 17, 2024
Fixed by #185, closing.
from boulder.
bifurcation
commented on May 17, 2024
There are still code stubs around that imply that denied requests are populated within boulder itself (vs. via admin-revoke). I am including this in #262 .
from boulder.
jsha
commented on May 17, 2024
Technically, according to the CPS we do need to populate the denied requests within Boulder itself, if anything hits the denied list:
If a new request for a previously denied DV-SSL Certificate is made, the application is the application is rejected immediately by the CA, which notifies the ACME client of the rejection. The instance is added to the internal database of DV-SSL denied lists.
The language is a bit broken, because it implies we need to add names to the DB that are already there.
@bdaehlie, where are we on the CPS? Would it be disruptive / time consuming to try and fix this in the CPS?
from boulder.
bdaehlie
commented on May 17, 2024
Assigned to me to resolve CPS issue.
from boulder.
jmhodges
commented on May 17, 2024
Status on this? I'm digging around in DB stuff and want to make sure we're covered.
from boulder.
jsha
commented on May 17, 2024
Moving to GA per email with @bdaehlie. We're going to fix it in the CPS, but not in the current round of edits.
from boulder.
bdaehlie
commented on May 17, 2024
This will be resolved in the CPS. No boulder fix needed.
from boulder.
Related Issues (20)
- TestAkamaiPurgerDrainQueueSucceeds data race
- Upgrade to go-jose v4
- Publish website documentation concerning profiles, link in user facing errors
- admin <subcommand> -help should work without -config
- Prototype psql backend
- Include sha256sums of the release artifacts
- ARI stats for draft-03 replacements
- Design and implement a system for automatically rejecting requests from doomed clients
- Design Document
- Remove orderModelv1 from the SA package
- CA: Remove deprecated Issuance.Profiles field
- Add test for CRLs with no entries
- Add CI action to prompt CP/CPS review upon feature flag introduction
- Track chosen certificate profile in RA audit log and metric HOT 1
- PSL update
- Run pkilint in integration tests
- sa: investigate removing requestedNames table HOT 1
- Consider removing Subject Key Identifier from end-entity certificates
- Azure Rate Limit Exclusion question HOT 2
- go1.22: Remove loop variable lexical rebindings after a future gopls update
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boulder.