Recommended readings on encryption, security and privacy | Let's Encrypt

Disclaimer: This article was written few years ago and may no longer be relevant as software engineering has changed a lot in the last few years. This is what may be more relevant now: Future of Software Engineering - Gaurav Chandak

Are you interested in learning more about encryption, security and privacy?

This article is based on Let's Encrypt's recommended readings for software engineers interested in security and privacy.

Standards documents

• Internet Public Key Infrastructure (Web PKI): RFC 5280
• Certificate Path Building: RFC 4158
• Online Certificate Status Protocol (OCSP): RFC 6960
  • Lightweight OCSP Profile: RFC 5019
• Certificate Authority Authorization (CAA) DNS Record: RFC 8659
• Certificate Transparency (CT): RFC 6962
  • And Cloudflare's readable introduction to CT
• JSON Web Signatures (JWS): RFC 7515
• Automatic Certificate Management Environment (ACME): RFC 8555
  • ACME TLS ALPN Challenge: RFC 8737
  • ACME IP Validation: RFC 8738
  • ACME Renewal Information (ARI): working group proposal

Legal / Policy documents

• CA/B Forum Baseline Requirements
• Let's Encrypt Policy and Legal Repository (CP, CPS, Subscriber Agreement, Privacy Policy)
• IdenTrust Policy documents (LE's CP/CPS have to be compatible with IdenTrust CP)
• WebTrust for CAs

Root programs

• Chrome Root Program
• Mozilla Root Store Policy
• Microsoft Trusted Root Program
• Apple Root Certificate Program
• Android Issue Tracker

Additional relevant information not incorporated directly into root program requirements:

• The Common CA Database.
• Required or Recommended Practices
• Responding to an Incident

Mailing lists

Critical lists for keeping up with the Web PKI and ACME:

• CA/Browser Forum Public
• CA/B Forum Server Certificate Working Group
• Mozilla Dev Security Policy
  • Previous archive
• IETF ACME Working Group
• IETF CT Working Group
• Certificate Transparency Policy
• The CA Compliance Bugzilla Component

Informational lists for tools Let's Encrypt uses:

• The Let's Encrypt Community Forum
• Golang
•  Zlint
• Bulletproof TLS Newsletter
• The Boulder and Pebble GitHub repos (click "Watch")

Misc

A collection of articles that provide greater depth and nuance on a variety of topics:

• Let's Encrypt's public documentation
  • Especially the Glossary
• A Warm Welcome to ASN.1 and DER
• A Warm Welcome to DNS
• Why and how to develop Blameless Postmortems Culture
• Fixing the AddTrust Root Expiration
• MD5 hash collision to create a rogue CA
• Report on the 2011 DigiNotar breach
• Removal of TurkTrust mis-issued MITM intermediates
• Post about how strict browser behavior benefits the whole ecosystem
• An explanation of DNS hijacking attacks
• Discussions about the difficulties of revocation checking:
  • Adam Langley's three posts on the topic
  • Mozilla's plans for Firefox
  • Cloudflare's and Ryan Sleevi's posts about OCSP Stapling

Past Incidents

A collection of past CA Compliance incidents that are valuable learning material:

• All Let's Encrypt CA Compliance issues
  • We also post them to our community forum
• Issues leading to Symantec distrust
• Issues leading to WoSign distrust
• Issues leading to PROCERT distrust
• Issued leading to Certinomis distrust
• Bug 1640805: Delayed publication of revocation information
  • Clarifies that a certificate is not considered revoked until updated OCSP responses are globally visible
• Bug 1598390: Null character in root CA URLs
  • Requires multiple layers (technical, social) of root cause analysis; shows importance of automated ceremony tooling
• Unicode Normalization Incident
  • Rapid remediation and revocation; led to integration of pre-issuance linting at Let's Encrypt
• Bug 1619047: CAA Rechecking Bug
  • Root-caused by Go loop variable aliasing; led to many remediations at Let's Encrypt
  • Also accompanied by Bug 1619179: Incomplete revocation

This document was originally published here.