On 12/09/2016 23:48, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
I find fault in CloudFlare (presuming the story is actually as
reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have pointed to you it being well-understood and permissible, under past
and present guidelines.
Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.
I am saying that they are (if the story is true) morally at fault for
requesting a certificate that the domain owner did not authorize them
to request, abusing their job of handling some technical aspects of the
domain owners operation.
The common equivalent would be a network administrator requesting a
certificate that his boss had not authorized him to request. There is
no way an outside CA could know that such authorization had not been
given if that employee was in a position where the only difference
between a real or bad request would be what their boss did or did not
tell the employee to do.
This common equivalent would be sufficiently common (on a worldwide
statistical basis), that it would be useful for large CAs to have
standard procedures and policies (be they manual or automated, public
or internal) for handling such situations. The defining characteristic
would be "this person claims to outrank the original certificate
requestor and is requesting revocation of a certificate without having
access to the files etc. involved in the original request".
From the story as reported, Comodo had every reason to believe that
CloudFlare was authorized by the domain owner to request that DV cert,
and had no additional preemptive tests to do (baring a future finding
that CloudFlare should be blacklisted from requesting DV certificates,
which would require a large number of cases given the huge number of
domains they handle without objection by domain owners).
This gets further into "What you're proposing doesn't exist" territory, such as
the notion of blacklisting an organization from requesting a DV cert, when the whole
notion of DV is that the only thing validated is the domain (not the organization
operating the domain or requesting the cert)
I was arguing *against* adding CloudFlare to such a list, even if it
existed.
And I would presume that any security conscious CA would have an
internal black list of bad networks that they refuse to sell to because
it tends to create too many practical, security or legal problems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
