Re: [gtld-tech] ICANN CRL expired and not updated yet
Francisco, Can you please provide the length of the outage period and the symptoms observed by users as currently understood? Clearly stating the known facts would be useful for all those who rely on the service and who need to now identify invalid submission failures. -- Kal Feher -----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Francisco Arias Sent: Tuesday, 28 July 2015 11:39 AM To: David Krizanic; gtld-tech@icann.org Subject: Re: [gtld-tech] ICANN CRL expired and not updated yet This message contains a digitally signed email which can be read by opening the attachment.
Hi Kal, The first version of the TMCH CA CRL had a "Next Update" field set to 2015-07-23 23:59:59 UTC. The second version of the CRL was published on 2015-07-28 01:35:00 UTC. Leaving a window of 4 days, 1 hour and 35 minutes of potential impact. TLDs with sunrise periods between 24 July 2015 and 28 July 2015 may have determined that certificates issued by the TMCH could not be validated. Registrars who received sunrise registration/application requests for those TLDs during that period may have also been affected. Moving forward, ICANN plans to publish a definitive schedule for future CRL updates. Registries and registrars must continue refreshing the CRL as specified in draft-lozano-tmch-func-spec (i.e., at least every 24 hours). A communication was sent to the potentially affected parties (registries and registrars). Regards, -- Francisco. On 7/28/15, 6:40 PM, "Kal Feher" <Kal.Feher@ariservices.com> wrote:
Francisco, Can you please provide the length of the outage period and the symptoms observed by users as currently understood?
Clearly stating the known facts would be useful for all those who rely on the service and who need to now identify invalid submission failures.
-- Kal Feher
-----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Francisco Arias Sent: Tuesday, 28 July 2015 11:39 AM To: David Krizanic; gtld-tech@icann.org Subject: Re: [gtld-tech] ICANN CRL expired and not updated yet
This message contains a digitally signed email which can be read by opening the attachment.
On Jul 30, 2015, at 9:58 PM, Francisco Arias <francisco.arias@icann.org> wrote:
Hi Kal,
The first version of the TMCH CA CRL had a "Next Update" field set to 2015-07-23 23:59:59 UTC. The second version of the CRL was published on 2015-07-28 01:35:00 UTC. Leaving a window of 4 days, 1 hour and 35 minutes of potential impact.
(...)
Moving forward, ICANN plans to publish a definitive schedule for future CRL updates. Registries and registrars must continue refreshing the CRL as specified in draft-lozano-tmch-func-spec (i.e., at least every 24 hours).
If the refresh is at least every 24h, that would add another another day to the potential impact. Rubens
Thank you Francisco, That is exactly what I was hoping for. -- Kal Feher -----Original Message----- From: Francisco Arias [mailto:francisco.arias@icann.org] Sent: Friday, 31 July 2015 10:59 AM To: Kal Feher; gtld-tech@icann.org Subject: Re: [gtld-tech] ICANN CRL expired and not updated yet Hi Kal, The first version of the TMCH CA CRL had a "Next Update" field set to 2015-07-23 23:59:59 UTC. The second version of the CRL was published on 2015-07-28 01:35:00 UTC. Leaving a window of 4 days, 1 hour and 35 minutes of potential impact. TLDs with sunrise periods between 24 July 2015 and 28 July 2015 may have determined that certificates issued by the TMCH could not be validated. Registrars who received sunrise registration/application requests for those TLDs during that period may have also been affected. Moving forward, ICANN plans to publish a definitive schedule for future CRL updates. Registries and registrars must continue refreshing the CRL as specified in draft-lozano-tmch-func-spec (i.e., at least every 24 hours). A communication was sent to the potentially affected parties (registries and registrars). Regards, -- Francisco. On 7/28/15, 6:40 PM, "Kal Feher" <Kal.Feher@ariservices.com> wrote:
Francisco, Can you please provide the length of the outage period and the symptoms observed by users as currently understood?
Clearly stating the known facts would be useful for all those who rely on the service and who need to now identify invalid submission failures.
-- Kal Feher
-----Original Message----- From: gtld-tech-bounces@icann.org [mailto:gtld-tech-bounces@icann.org] On Behalf Of Francisco Arias Sent: Tuesday, 28 July 2015 11:39 AM To: David Krizanic; gtld-tech@icann.org Subject: Re: [gtld-tech] ICANN CRL expired and not updated yet
This message contains a digitally signed email which can be read by opening the attachment.
participants (3)
-
Francisco Arias -
Kal Feher -
Rubens Kuhl