As somebody who's interested in Let's Encrypt and runs some custom client code, I have subscribed to the "Incidents" category. Most postings in there describe some kind of "misissuance" type incident, where Let's Encrypt "broke the rules" and needs to revoke some certificates, or at least justify why revoking certificates isn't necessary or otherwise explain what happened. There are also occasionally posts about how they aren't affected by a common-to-many-systems vulnerability that they're being asked about frequently, or about an incident response of emergency measures being taken to protect their infrastructure from abuse.
In the last few months, I've noticed that there have been a few incidents that were reported to the Mozilla root program but don't have a post in the Incidents category:
- Certificates issued to Elliptic Curve Debian Weak Keys
- Incomplete and Inconsistent CRLs
- Delayed revocation for removed gTLD
Now, the reason I'm following Let's Encrypt incidents so closely is just because I'm being nosy. But as the Integration Guide suggests that client developers and large integrators only need to follow the "API Announcements" category to learn about updates, I'm trying to learn what the "Incidents" category is for and who should subscribe to it to ensure they see posts in it.
- Is the expectation that there is only a post in the "Incidents" category if there's a need to have a post from Let's Encrypt specifically to this community, and that (as with those three listed above) if there's no perceived need for this community to be informed that Let's Encrypt will only inform the root programs? (I posted links to Mozilla above because they run their root program in a very open way, but it's my understanding that incidents like those need to be reported privately to other root programs as well).
- If I'm the subscriber for a certificate being revoked due to one of these "smaller" incidents that don't warrant a post to this community, is there a notification that happens to the email address on file for the account when revocation due to an incident occurs? (And if I don't want to give Let's Encrypt my email address, well that's just on me so I might expect my certificate to be revoked and won't know why unless I look through reports to the root programs.)
- Should it be recommended for client authors and large integrators to subscribe to the "Incidents" category in addition to the "API Announcements" category, to learn about things like incident response that temporarily disables some issuance that might impact my requests, like what happened with Plesk for a day? Or are those also handled by separately contacting those integrators, so if it's just one integrator it might have a post in "Incidents" (because it's worth noting but the people involved are already aware) but if there's more than one integrator affected it would have a post in "API Announcements" to be more widely spread?
Thanks for indulging my curiosity.