You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In #7406, we deployed all the necessary code and infrastructure to manually pause specific account-identifier pairs. Two batches of manual pauses were conducted based on 90 days of authorization logs:
Batch 1: Averaged 50 authorization failures per day, with no successful attempts, over 90 days.
Batch 2: Averaged 40 authorization failures per day, with no successful attempts, over 90 days.
After a few weeks with no complaints and very few unpauses, it seems reasonable to move forward with automated detection and pausing for accounts that meet the criteria established in our second batch.
Automatic Pausing Requirements
To efficiently identify pairs for pausing, we'll implement a new rate limit within our existing key-value rate limit system. This limit will be similar to our current FailedAuthorizationsPerDomainPerAccount limit and will use the same bucket key format of enum:regId:domain.
However, there are some differences:
The configured period will match our longest issuance time, 90 days.
The configured count will be our period (90) * acceptable failures per day (40), or 3600.
The bucket will always be reset to 0 if the subscriber successfully validates an authorization for that identifier.
When the limit is reached, the account and identifier will be added to our paused table by calling SA.PauseIdentifiers().
Any subsequent new-order requests from this account for certificates containing this identifier will then be rate limited. The rate limit notice will include a URL they can use to automatically unpause all paused identifiers associated with their account.
The text was updated successfully, but these errors were encountered:
Manual Pausing Background
In #7406, we deployed all the necessary code and infrastructure to manually pause specific account-identifier pairs. Two batches of manual pauses were conducted based on 90 days of authorization logs:
After a few weeks with no complaints and very few unpauses, it seems reasonable to move forward with automated detection and pausing for accounts that meet the criteria established in our second batch.
Automatic Pausing Requirements
To efficiently identify pairs for pausing, we'll implement a new rate limit within our existing key-value rate limit system. This limit will be similar to our current
FailedAuthorizationsPerDomainPerAccount
limit and will use the same bucket key format ofenum:regId:domain
.However, there are some differences:
period
will match our longest issuance time, 90 days.count
will be ourperiod
(90) * acceptable failures per day (40), or 3600.paused
table by callingSA.PauseIdentifiers()
.Any subsequent new-order requests from this account for certificates containing this identifier will then be rate limited. The rate limit notice will include a URL they can use to automatically unpause all paused identifiers associated with their account.
The text was updated successfully, but these errors were encountered: