This incident report confuses me, probably since I'm just a "layperson" and not intimately familiar with the bazillion audit requirements CAs have or all the terminology involved. (And I do understand that it has to be hard to try to write up an incident report that's comprehensive about the problem and yet understandable to everyone.) The way it reads to me, you're properly logging when certificate are available and have OCSP information, and properly logging when a certificate's status changes to revoked, but there are some other "subsequent updates" to OCSP that aren't logged (but need to be for the auditors). But I thought that the whole thing OCSP did was just tell you if a certificate was revoked or not, so I don't understand what these other "subsequent updates" are. Could you give some examples? Maybe some rough "timeline of a typical certificate" describing what changes are getting logged and which ones aren't? Or is it so esoteric and technical that I probably shouldn't ask since the answer will just confuse me more?
I'm also a bit confused on the severity of the issue. While I do understand that it's important for auditors to be able to verify that Let's Encrypt is certifying domains and telling people the correct status of the certificates, I also kind of feel that if it was missed for this long (and presumably missed in past audits?) that this requirement can't be too critical in terms of ensuring that the whole WebPKI is being protected, right? And this is just that dotting all the i's and crossing all the t's is the bread-and-butter of how a CA ticks, so missing this requirement is something that needs to be addressed, but that users aren't really in any danger of being deceived about certificate statuses, right? Or since the logging is missing is it that we don't really know?
Thanks for indulging my questions during a time that you're all way too busy with a bunch of other priorities too. I'm just overly curious, I guess.