[Demand Signal] Rate limit submissions on issuer #585
Description
Trillian + CTFE was able to rate limit submission based on the first issuing certificate in a chain.
This is something that we could do with TesseraCT, but it is unclear whether it is required at the moment:
- That I am aware of, this never kicked in with Trillian + CTFE.
- If such a rate limit kicked in, this would mean that a CA is mass issuing a certificates (due to a bug, or for a legitimate reason). This could be related to a serious incident, that might require hands on help from CT log operators. We'd probably page log operators if this is really serious anyways. A rate limit would ensure fair resource usage while an oncaller investigates.
- A CA could still issue a different intermediate for every cert they issue (there's precedent with Google's compliance monitor, and also remember that we're talking of potential bugs) , in which case, rate limiting based on the first issuer in the chain wouldn't be useful.
I gave this a try with TesseraCT over there: https://github.com/phbnf/tesseract/tree/limitissuer. More work would be required to send a PR to limit the number of issuers being tracked and avoid unbounded memory growth (though this is somehow already limited by the number of roots accepted by TesseraCT). I'm thinking we could use a TwoQueueCache from https://pkg.go.dev/github.com/hashicorp/golang-lru/v2. There's non-trivial complexity!
Alternative solutions:
- Do nothing
- Monitor chain submission per issuer (but don't rate limit them)
- Enable TesseraCT to block submissions per issuer, and/or roots (related to Root update process #212)