On Wednesday, 2 November 2016 15:26:37 UTC, Tom Ritter wrote: > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not obligated to revoke. I don't agree with that. If a user > purchased a domain from someone (or bought a recently expired domain) > and a TLS certificate was still valid for it, would the new owner not > be able to get it revoked? If so, how is this different?
ISRG / Let's Encrypt has said that although in principle they are sympathetic in this sort of scenario, there would be a big practical obstacle to achieving the certainty needed to revoke the old certificate (if they just said "Yes" without an investigation then you can DOS any certificate owner by sending off emails saying you just bought their domain and need the certificates to be revoked...), and they would recommend usually just to wait for the certificate to expire naturally (their end entity certificates of course only last 90 days each). That balance might look rather different for a 2 year EV certificate but I believe the underlying principle (the validation is OK for a prolonged period under the BRs) is the same. Maybe this can to some extent be fixed, but there are many other ways in which DNS names now have a footprint that extends beyond the life of the domain registration. Cookies and HSTS rules, spam blocks, Google search karma, and so on. So arguably buying the domain name foo.example "second hand" comes with many risks, pre-existing Web PKI certs isn't one of the biggest. I suspect that even if you could get a license to name a new technology product "Zune" tomorrow that would be a bad idea too. > Aside, it would be very interesting to watch domain renewals + contact > info changes (if one can do this at scale) and pair it up with the CT > logs to see how much of an issue this is/could be. Most large registries go out of their way to make collecting bulk WHOIS data (which is what you need here) this technically difficult, largely as a measure to protect registrants from truly mind-boggling amounts of spam from SEO companies and suchlike. A legitimate researcher (e.g. someone with related academic credentials) might be able to approach them and agree an NDA where they only release aggregate statistical results, in exchange for getting the raw data. But it may well just not be worth the hassle for a registry to agree that. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
