在 2016年9月10日星期六 UTC+8下午10:44:05,Erwann Abalea写道: > Bonjour, > > Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : > > I am using Cloudflare's DNS service and I found that Cloudflare has issued > > a certficate to their server including my domain. But I didn't use any SSL > > service of theirs. Is that ok to Mozilla's policy? > > > > Issued certificate:https://crt.sh/?id=31206531 > > My domain is BUPT.MOE > > Technically speaking, Cloudflare did not issue a certificate, they requested > one and have it been issued by a CA. > > I won't say wether it's ok for Mozilla or not, but it's at least authorized > by the CABForum Baseline Requirements. > > Cloudflare was the Applicant (it's now the Subscriber), Comodo is the CA, you > are the Domain Name Registrant, your Registrar appears to be Hosting Concept > (Openprovider), the requested FQDN is bupt.moe. > > The Applicant requested a certificate for the FQDN to the CA, the CA has > several methods declared in its CPS to verify that the Applicant is > authorized by the Domain Name Registrant to control the FQDN. > > Of all these methods, some of them won't work here without your knowledge > (phone-call, sending you an email as listed in the Whois, sending an email to > admin/administrator/webmaster/hostmaster/postmaster@yourdomain). > One of the remaining methods may have been possible only if Cloudflare > redirected the DNS record of your FQDN to one of their servers just for the > verification to pass ("Having the Applicant demonstrate practical control > over the FQDN by making an agreed‐upon change to information found on an > online Web page identified by a uniform resource identifier containing the > FQDN"), which could be considered problematic. > In my opinion, the most plausible verification method in this case is the > last one: "Having the Applicant demonstrate practical control over the FQDN > by making an agreed-upon change to information found in the DNS containing > the FQDN"; for example asking the Applicant to add a CA-chosen random value > in a TXT record of the FQDN. > > Since you delegated your DNS server to Cloudflare, you implicitly allowed > them to perform this certificate request on your behalf. > > > Ironically, since you're not the Subscriber, you cannot request for the > revocation of this certificate, at least not directly to the CA. If you want > this certificate to be revoked, you need to ask Cloudflare.
Thanks for your time. So when I delegated the DNS service to Cloudflare, Cloudflare have the priviliage to issue the certficate by default? Can I understand like that? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
