I’m quite interested to read the post mortem analysis. How could this have happened?
Also, and more the reason for this thread — anyone got statistics on how many users could be affected by this? It only affects sites/services which are chaining to the ISRG root, so only custom configured sites/services are affected. And also only users/clients which are actually requesting OCSP queries for the intermediate certificated are obviously affected?
Anyone would like to take hit at a ballpark guess?
FWIW, it might make sense to start publishing the expiry dates of everything on the /certificates page in plaintext. That would leverage the community members as an extra warning to notice any forthcoming expiries
Publishing expiry dates, or even better: have some kind of monitoring to warn before certificates expire I know, hindsight 20/20, but…I’m somewhat confused that this happened here: that’s the only other thing a CA has to take care of, right? Issuing certificates and making sure its own certificates do not expire? Anyway, thanks for the update and the incident report!