On 09/10/2016 05:43 PM, Erwann Abalea wrote: > Bonjour, > > Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : >> I am using Cloudflare's DNS service and I found that Cloudflare has issued a >> certficate to their server including my domain. But I didn't use any SSL >> service of theirs. Is that ok to Mozilla's policy? >> >> Issued certificate:https://crt.sh/?id=31206531 >> My domain is BUPT.MOE > > Technically speaking, Cloudflare did not issue a certificate, they requested > one and have it been issued by a CA.
And they state this clearly at https://www.cloudflare.com/plans/. The free and pro plans have cloudflare issued certificates (cloudflare issued means that they initiate the issue procedure) while the business and enterprise plans can have either cloudflare issued certificates or certificates issued by the user and uploaded to cloudflare. Regards, Fotis > > I won't say wether it's ok for Mozilla or not, but it's at least authorized > by the CABForum Baseline Requirements. > > Cloudflare was the Applicant (it's now the Subscriber), Comodo is the CA, you > are the Domain Name Registrant, your Registrar appears to be Hosting Concept > (Openprovider), the requested FQDN is bupt.moe. > > The Applicant requested a certificate for the FQDN to the CA, the CA has > several methods declared in its CPS to verify that the Applicant is > authorized by the Domain Name Registrant to control the FQDN. > > Of all these methods, some of them won't work here without your knowledge > (phone-call, sending you an email as listed in the Whois, sending an email to > admin/administrator/webmaster/hostmaster/postmaster@yourdomain). > One of the remaining methods may have been possible only if Cloudflare > redirected the DNS record of your FQDN to one of their servers just for the > verification to pass ("Having the Applicant demonstrate practical control > over the FQDN by making an agreed‐upon change to information found on an > online Web page identified by a uniform resource identifier containing the > FQDN"), which could be considered problematic. > In my opinion, the most plausible verification method in this case is the > last one: "Having the Applicant demonstrate practical control over the FQDN > by making an agreed-upon change to information found in the DNS containing > the FQDN"; for example asking the Applicant to add a CA-chosen random value > in a TXT record of the FQDN. > > Since you delegated your DNS server to Cloudflare, you implicitly allowed > them to perform this certificate request on your behalf. > > > Ironically, since you're not the Subscriber, you cannot request for the > revocation of this certificate, at least not directly to the CA. If you want > this certificate to be revoked, you need to ask Cloudflare. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
