I took Florian's comment to mean that the structure of what CloudFlare is doing 
is essentially a proxy service that is able manipulate DNS entries to obtain a 
certificate. In the case of CloudFlare, we understand their business and thus 
presume that the action is OK. For anybody else, though...???

Put another way: Just because you can manipulate DNS entries does not 
necessarily mean you are the right person to receive a cert. Rather, it's "I 
hope you are the right person".‎ If Florian had a different meaning, though, it 
would be good to get him to clarify that.


  Original Message  
From: Matt Palmer
Sent: Saturday, September 17, 2016 6:27 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Cerificate Concern about Cloudflare's DNS

On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote:
> * Peter Bowen:
> 
> > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> wrote:
> >> So when I delegated the DNS service to Cloudflare, Cloudflare have
> >> the privilege to issue the certificate by default? Can I understand
> >> like that?
> >
> > I would guess that they have a clause in their terms of service or
> > customer agreement that says they can update records in the DNS zone
> > and/or calls out that the subscriber consents to them getting a
> > certificate for any domain name hosted on CloudFlare DNS.
> 
> I find it difficult to believe that the policies permit Cloudflare's
> behavior, but are expected to prevent the issue of interception
> certificates. Aren't they rather similar, structurally?

I'm not seeing any similarity, but I don't understand your use of
"structurally", so if you could expand on your meaning, that would be
useful.

- Matt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to