Bonjour,
Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued certificate:https://crt.sh/?id=31206531
> My domain is BUPT.MOE
Technically speaking, Cloudflare did not issue a certificate, they requested
one and have it been issued by a CA.
I won't say wether it's ok for Mozilla or not, but it's at least authorized by
the CABForum Baseline Requirements.
Cloudflare was the Applicant (it's now the Subscriber), Comodo is the CA, you
are the Domain Name Registrant, your Registrar appears to be Hosting Concept
(Openprovider), the requested FQDN is bupt.moe.
The Applicant requested a certificate for the FQDN to the CA, the CA has
several methods declared in its CPS to verify that the Applicant is authorized
by the Domain Name Registrant to control the FQDN.
Of all these methods, some of them won't work here without your knowledge
(phone-call, sending you an email as listed in the Whois, sending an email to
admin/administrator/webmaster/hostmaster/postmaster@yourdomain).
One of the remaining methods may have been possible only if Cloudflare
redirected the DNS record of your FQDN to one of their servers just for the
verification to pass ("Having the Applicant demonstrate practical control over
the FQDN by making an agreed‐upon change to information found on an online Web
page identified by a uniform resource identifier containing the FQDN"), which
could be considered problematic.
In my opinion, the most plausible verification method in this case is the last
one: "Having the Applicant demonstrate practical control over the FQDN by
making an agreed-upon change to information found in the DNS containing the
FQDN"; for example asking the Applicant to add a CA-chosen random value in a
TXT record of the FQDN.
Since you delegated your DNS server to Cloudflare, you implicitly allowed them
to perform this certificate request on your behalf.
Ironically, since you're not the Subscriber, you cannot request for the
revocation of this certificate, at least not directly to the CA. If you want
this certificate to be revoked, you need to ask Cloudflare.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
