* Patrick Figel: > On 17/09/16 16:38, Florian Weimer wrote: >> * Peter Bowen: >> >>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> >>> wrote: >>>> So when I delegated the DNS service to Cloudflare, Cloudflare >>>> have the privilege to issue the certificate by default? Can I >>>> understand like that? >>> >>> I would guess that they have a clause in their terms of service or >>> customer agreement that says they can update records in the DNS >>> zone and/or calls out that the subscriber consents to them getting >>> a certificate for any domain name hosted on CloudFlare DNS. >> >> I find it difficult to believe that the policies permit Cloudflare's >> behavior, but are expected to prevent the issue of interception >> certificates. Aren't they rather similar, structurally? > > I don't see how they're similar. Interception certificates are issued > without the knowledge and permission of the domain owner. Someone > signing up for CloudFlare willingly chooses to trust a CDN provider with > all their web traffic and DNS (in order to enable CloudFlare for a > domain, the NS record for that domain needs to point to CloudFlare.) > > I could understand this argument if they'd somehow pretend to be a > DNS-only provider and then abuse that to issue certificates. However, > nothing about their site (or their marketing approach in general) gives > me that impression - it's made quite clear that they're primarily a CDN > with SSL support.
Well, there is <https://www.cloudflare.com/dns/>. My concern goes like this: If I move my infrastructure to Cloudflare, I give them implied permission, based on their terms of service, to obtain a X.509 certificate for my domain names hosted there, so that they can intercept traffic. On the other hand, if I move my infrastructure to Germany, I give the German authorities implied permission, based on applicable German law, to ask my service provide to obtain an X.509 certificate for my domain names hosted there, so that they can intercept traffic in the clear (in accordance with German law). In both cases, we have implied consent, but the alleged certificate subscriber never has control over the private key, and how it is used. I don't think neither setup is intended to exist per the Mozilla CA guidelines. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
