Re: Cerificate Concern about Cloudflare's DNS

Mon, 12 Sep 2016 17:43:27 -0700 

On 13/09/2016 01:28, Ryan Sleevi wrote:

On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:

Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.


Then isn't it also generally outside the scope of this list?



I would not have discussed it if there had not already been a thread.

I have mostly written about why this is not a CA fault and what minimal
handling of the complaint would be reasonable CA behavior if such a
case was raised to them by the domain owner.


I am saying that they are (if the story is true) morally at fault for
requesting a certificate that the domain owner did not authorize them
to request, abusing their job of handling some technical aspects of the
domain owners operation.


This gets into emotionally laden language that makes it hard to engage in a 
reasoned discussion with you. To wit, we've established nothing in CA's 
policies prohibit this, nothing in Mozilla's policies prohibit this, you've 
acknowledged that there is harm in creating such policies to prohibit this, so 
it's unclear what positive things you expect to result from this discussion, or 
the value being brought.



I am using the word "morally" simply to distinguish suggested policy
from any current legalities (a previous poster mentioned the
possibility that it might be formally permitted by contract language),
not to express emotion.


And I would presume that any security conscious CA would have an
internal black list of bad networks that they refuse to sell to because
it tends to create too many practical, security or legal problems.


The presumption is, of course, just that - pure speculation. It does seem 
you're opposed to creating such a list, however, so shall we just move on?



Not in principle, just stating that the current incident is not a
reason to establish such a list.  I could imagine cases where some
other hoster was creating havoc across multiple CAs.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to