On 12/09/2016 21:57, Rob Stradling wrote:
On 12/09/16 18:57, Jakob Bohm wrote:
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have
the privilege to issue the certificate by default? Can I understand
like that?
I would guess that they have a clause in their terms of service or
customer agreement that says they can update records in the DNS zone
and/or calls out that the subscriber consents to them getting a
certificate for any domain name hosted on CloudFlare DNS.
This seems another reason for the web to not trust cloudflare as a
trustworthy domain proxy handler.
Just because their (paid, presumably) job gives them the technical
ability to requests certificates without the consent of the domain
owner, this does not given them any legitimate right to do so.
Hi Jakob. Do you find any fault with Comodo for issuing this cert
(https://crt.sh/?id=31206531) ?
We validated domain control, but we did not attempt to establish "the
consent of the domain owner"(s) directly. As others have pointed out,
this is compliant with the CABForum BRs.
Given that establishing "the consent of the domain owner" is the
territory of OV certs and EV certs, is it your opinion that DV certs
should be outlawed?
I find fault in CloudFlare (presuming the story is actually as
reported).
I also think that CAs (of any cert type) should have a process where
the owner of the certified identity can request revocation based on
disavowal of a (technically valid) request (not at all limited to the
DV case, legitimate representatives get ousted all the time). This
would be a routine process involving identity checks to confirm that
the revocation requestor outranks the certificate requestor, rather
than the fallback of public reporting of bad certs.
From the story as reported, Comodo had every reason to believe that
CloudFlare was authorized by the domain owner to request that DV cert,
and had no additional preemptive tests to do (baring a future finding
that CloudFlare should be blacklisted from requesting DV certificates,
which would require a large number of cases given the huge number of
domains they handle without objection by domain owners).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
