在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道: > On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote: > > On 12/09/16 18:57, Jakob Bohm wrote: > > > On 11/09/2016 07:49, Peter Bowen wrote: > > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <[email protected]> wrote: > > >>> So when I delegated the DNS service to Cloudflare, Cloudflare have > > >>> the privilege to issue the certificate by default? Can I understand > > >>> like that? > > >> > > >> I would guess that they have a clause in their terms of service or > > >> customer agreement that says they can update records in the DNS zone > > >> and/or calls out that the subscriber consents to them getting a > > >> certificate for any domain name hosted on CloudFlare DNS. > > > > > > This seems another reason for the web to not trust cloudflare as a > > > trustworthy domain proxy handler. > > > > > > Just because their (paid, presumably) job gives them the technical > > > ability to requests certificates without the consent of the domain > > > owner, this does not given them any legitimate right to do so. > > > > Hi Jakob. Do you find any fault with Comodo for issuing this cert > > (https://crt.sh/?id=31206531) ? > > > > We validated domain control, but we did not attempt to establish "the > > consent of the domain owner"(s) directly. As others have pointed out, > > this is compliant with the CABForum BRs. > > Are you able, by any chance, to reveal whether the domain control was > validated by HTTP request, DNS change, or "other" (please specify <grin>)? > At present, it looks like every domain listed in that certificate *other* > than the domain at issue (bupt.moe) resolves to Cloudflare IP space, so my > working theory is that the domain was previously pointed to a Cloudflare > proxy, and has since been moved elsewhere. > > However, it would be nice, for my peace of mind at least, to know how > control was validated in this instance, if that's something you're able to > share (I understand you reasonably might not be able, and if so, no > problem). > > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its > DNS-using (only) customers on the "off chance" that they might want to use > their proxy services in the future, that would be extremely creepy and > unpleasant, but so far I don't think there's enough evidence to be able to > say such a thing is happening at present. It seems far more likely that > bupt.moe was a Cloudflare proxy customer (if only for a *very* brief time), > the certificate was issued for that purpose, and now the domain has been > pointed elsewhere, and the name is just hanging around in a cert which will > expire in six months or so. > > - Matt
I am the owner of BUPT.MOE and I just use DNS service. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
