On 12/09/16 18:57, Jakob Bohm wrote: > On 11/09/2016 07:49, Peter Bowen wrote: >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <[email protected]> wrote: >>> So when I delegated the DNS service to Cloudflare, Cloudflare have >>> the privilege to issue the certificate by default? Can I understand >>> like that? >> >> I would guess that they have a clause in their terms of service or >> customer agreement that says they can update records in the DNS zone >> and/or calls out that the subscriber consents to them getting a >> certificate for any domain name hosted on CloudFlare DNS. > > This seems another reason for the web to not trust cloudflare as a > trustworthy domain proxy handler. > > Just because their (paid, presumably) job gives them the technical > ability to requests certificates without the consent of the domain > owner, this does not given them any legitimate right to do so.
Hi Jakob. Do you find any fault with Comodo for issuing this cert (https://crt.sh/?id=31206531) ? We validated domain control, but we did not attempt to establish "the consent of the domain owner"(s) directly. As others have pointed out, this is compliant with the CABForum BRs. Given that establishing "the consent of the domain owner" is the territory of OV certs and EV certs, is it your opinion that DV certs should be outlawed? Just curious. Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
