-
-
Notifications
You must be signed in to change notification settings - Fork 607
Recommended Reading
Jacob Hoffman-Andrews edited this page Nov 14, 2022
·
20 revisions
- Internet Public Key Infrastructure (Web PKI): RFC 5280
- Certificate Path Building: RFC 4158
- Online Certificate Status Protocol (OCSP): RFC 6960
- Lightweight OCSP Profile: RFC 5019
- Certificate Authority Authorization (CAA) DNS Record: RFC 8659
- Certificate Transparency (CT): RFC 6962
- JSON Web Signatures (JWS): RFC 7515
- Automatic Certificate Management Environment (ACME): RFC 8555
- ACME TLS ALPN Challenge: RFC 8737
- ACME IP Validation: RFC 8738
- ACME Renewal Information (ARI): working group proposal
- How to structure a CP and/or CPS: RFC 3647
- CA/Browser Forum Baseline Requirements: https://cabforum.org/baseline-requirements-documents/
- CA/Browser Forum Network Security Requirements: https://cabforum.org/network-security-requirements/
- Let's Encrypt Policy and Legal Repository (CP, CPS, Subscriber Agreement, Privacy Policy): https://letsencrypt.org/repository/
- IdenTrust Policy documents (LE's CP/CPS have to be compatible with IdenTrust CP): https://secure.identrust.com/certificates/policy/ts/
- WebTrust for CAs: https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria
- Chrome Root Program: https://www.chromium.org/Home/chromium-security/root-ca-policy
- Mozilla Root Store Policy: http://www.mozilla.org/projects/security/certs/policy/
- Microsoft Trusted Root Program: https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
- Apple Root Certificate Program: http://www.apple.com/certificateauthority/ca_program.html
- Android: https://issuetracker.google.com/issues?q=componentid:190923%20status:open
Additional relevant information not incorporated directly into root program requirements:
Critical lists for keeping up with the Web PKI and ACME:
- CA/Browser Forum Public: https://lists.cabforum.org/mailman/listinfo/public
- CA/B Forum Server Certificate Working Group: https://lists.cabforum.org/mailman/listinfo/servercert-wg
- Mozilla Dev Security Policy (MDSP): https://groups.google.com/a/mozilla.org/g/dev-security-policy
- Previous archive: https://groups.google.com/g/mozilla.dev.security.policy
- Public list for CCADB (Common CA DataBase): https://groups.google.com/a/ccadb.org/g/public
- IETF ACME Working Group: https://mailarchive.ietf.org/arch/browse/acme/
- IETF CT Working Group: https://www.ietf.org/mail-archive/web/trans/current/maillist.html
- Certificate Transparency Policy: https://groups.google.com/a/chromium.org/g/ct-policy
- The CA Compliance Bugzilla Component: click "Watch"
Informational lists for tools Let's Encrypt uses:
- The Let's Encrypt Community Forum: https://community.letsencrypt.org/
- Golang: https://groups.google.com/g/golang-announce
- Zlint: https://groups.google.com/g/zlint-announcements
- Bulletproof TLS Newsletter: https://www.feistyduck.com/bulletproof-tls-newsletter/
- The Boulder and Pebble GitHub repos (click "Watch")
A collection of articles that provide greater depth and nuance on a variety of topics:
- Let's Encrypt's public documentation
- Especially the Glossary
- A Warm Welcome to ASN.1 and DER
- A Warm Welcome to DNS
- Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, academic paper, 2019
- Experiences Deploying Multi-Vantage-Point Domain Validation at Let’s Encrypt, academic paper 2021
- Why and how to develop Blameless Postmortems Culture
- Fixing the AddTrust Root Expiration
- MD5 hash collision to create a rogue CA
- Report on the 2011 DigiNotar breach
- Removal of TurkTrust mis-issued MITM intermediates
- Post about how strict browser behavior benefits the whole ecosystem
- An explanation of DNS hijacking attacks
- Discussions about the difficulties of revocation checking:
- Adam Langley's three posts on the topic
- Mozilla's plans for Firefox
- Cloudflare's and Ryan Sleevi's posts about OCSP Stapling
- How TLS clients build certification paths, and what mistakes have been made
A collection of past CA Compliance incidents that are valuable learning material:
-
All Let's Encrypt CA Compliance issues
- We also post them to our community forum
- Issues leading to Symantec distrust
- Issues leading to WoSign distrust
- Issues leading to PROCERT distrust
- Issues leading to Certinomis distrust
-
Bug 1640805: Delayed publication of revocation information
- Clarifies that a certificate is not considered revoked until updated OCSP responses are globally visible
-
Bug 1598390: Null character in root CA URLs
- Requires multiple layers (technical, social) of root cause analysis; shows importance of automated ceremony tooling
-
Unicode Normalization Incident
- Rapid remediation and revocation; led to integration of pre-issuance linting at Let's Encrypt
-
Bug 1619047: CAA Rechecking Bug
- Root-caused by Go loop variable aliasing; led to many remediations at Let's Encrypt
- Also accompanied by Bug 1619179: Incomplete revocation