On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter <[email protected]> wrote: > On 2 November 2016 at 09:44, Jakob Bohm <[email protected]> wrote: >> The only thing that might be a CA / BR issue would be this: > > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not obligated to revoke. I don't agree with that. If a user > purchased a domain from someone (or bought a recently expired domain) > and a TLS certificate was still valid for it, would the new owner not > be able to get it revoked? If so, how is this different?
Tom, As written today, there is no obligation of CAs to do anything a the request of domain registrants. There is an obligation that the CA SHALL revoke a certificate if: " The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name)" Note that this does not give special authority to registrants. In particular, the straight up "request revocation" option is limited to the _Subscriber_, which is the entity that acquired the certificate. I think that this is a massive gap, especially in the current state of "WebPKI" where certificates are really a third party (CA) assertion that they performed a Trust On First Use (TOFU) operation with the objective that the CA is better positioned avoid attackers than the party later relying upon the certificate. > Aside, it would be very interesting to watch domain renewals + contact > info changes (if one can do this at scale) and pair it up with the CT > logs to see how much of an issue this is/could be. Given that every CA I know of will issue a certificate for a validity period that exceeds the domain registration period, I suspect it is not hard to find many certificates containing FQDNs under expired domains. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
