[No need to Cc me; I read the list]

On Tue, Sep 20, 2016 at 05:37:03PM -0500, Peter Kurrasch wrote:
> From: Matt Palmer
> > On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote:
> > > * Peter Bowen:
> > > 
> > > > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> 
> > > > wrote:
> > > >> So when I delegated the DNS service to Cloudflare, Cloudflare have
> > > >> the privilege to issue the certificate by default? Can I understand
> > > >> like that?
> > > >
> > > > I would guess that they have a clause in their terms of service or
> > > > customer agreement that says they can update records in the DNS zone
> > > > and/or calls out that the subscriber consents to them getting a
> > > > certificate for any domain name hosted on CloudFlare DNS.
> > > 
> > > I find it difficult to believe that the policies permit Cloudflare's
> > > behavior, but are expected to prevent the issue of interception
> > > certificates. Aren't they rather similar, structurally?
> > 
> > I'm not seeing any similarity, but I don't understand your use of
> > "structurally", so if you could expand on your meaning, that would be
> > useful.
> I took Florian's comment to mean that the structure of what CloudFlare is
> doing is essentially a proxy service that is able manipulate DNS entries
> to obtain a certificate.  In the case of CloudFlare, we understand their
> business and thus presume that the action is OK.  For anybody else,
> though...???
> Put another way: Just because you can manipulate DNS entries does not
> necessarily mean you are the right person to receive a cert.  Rather, it's
> "I hope you are the right person".‎ If Florian had a different
> meaning, though, it would be good to get him to clarify that.

There's no indication that Cloudflare used DNS, specifically, to prove
control of any of the validated names in the certificate.  All of the names
were, at one time or another (and all bar one still is) resolving to a
Cloudflare IP.  It's unfortunate (though understandable) that Comodo weren't
able or willing to disclose the validation method used, but since every name
in the cert is, or was at some point, provided HTTP service by Cloudflare,
it seems reasonable to believe that was the method of control validation
used in this instance.

Frankly, though, to my mind DNS is the *best* (or, if you prefer, *least
worst*) way of demonstrating control of a name -- because that's where the
name originates from.  Blessed e-mail addresses and "can respond to HTTP"
are far less compelling answers to the question, "does the applicant have
effective control of the name(s) being validated?".  Control over DNS
allows you to subvert any other method of control validation.

Thus, be careful who you grant control over your DNS records.  End of story.

- Matt

dev-security-policy mailing list

Reply via email to