Hi Aaron, On Thu, 11 Apr 2024 10:33:30 -0700 "'Aaron Gable' via CCADB Public" <[email protected]> wrote:
> Acquiring this fuller list would have significantly increased the time > taken to conduct the investigation. Let's Encrypt prunes data about > already-expired certificates from our easily-queriable database to > prevent it from growing without bound, so the investigation would > have had to start pulling in log data, which is a much slower process > for both writing and executing the relevant queries. Would this > additional investigation time, and correspondingly slower incident > response and remediation, have been worthwhile? When a CA claims that something is difficult, I think it's important to gather as many details about the difficulty as possible, particularly when it's being used as motivation for relaxing a requirement. So I hope you can provide more details, and answer the following questions: Are the challenges with acquiring a full list of affected certificates applicable only to expired certificates, or also unexpired certificates? What makes your database for expired certificates less easily-queryable? Does it require additional staff time to query, or is it just a matter of waiting for a query to complete? How much longer would incident response and remediation take if you had to query your last 2 years of expired and unexpired certificates, as opposed to only unexpired certificates? Regards, Andrew -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20240415101129.a536dd3cc61af0a326d1c2b8%40andrewayer.name.
