I took Florian's comment to mean that the structure of what CloudFlare is doing is essentially a proxy service that is able manipulate DNS entries to obtain a certificate. In the case of CloudFlare, we understand their business and thus presume that the action is OK. For anybody else, though...???
Put another way: Just because you can manipulate DNS entries does not necessarily mean you are the right person to receive a cert. Rather, it's "I hope you are the right person". If Florian had a different meaning, though, it would be good to get him to clarify that. Original Message From: Matt Palmer Sent: Saturday, September 17, 2016 6:27 PM To: [email protected] Subject: Re: Cerificate Concern about Cloudflare's DNS On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote: > * Peter Bowen: > > > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <[email protected]> wrote: > >> So when I delegated the DNS service to Cloudflare, Cloudflare have > >> the privilege to issue the certificate by default? Can I understand > >> like that? > > > > I would guess that they have a clause in their terms of service or > > customer agreement that says they can update records in the DNS zone > > and/or calls out that the subscriber consents to them getting a > > certificate for any domain name hosted on CloudFlare DNS. > > I find it difficult to believe that the policies permit Cloudflare's > behavior, but are expected to prevent the issue of interception > certificates. Aren't they rather similar, structurally? I'm not seeing any similarity, but I don't understand your use of "structurally", so if you could expand on your meaning, that would be useful. - Matt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
