On 02/11/2016 17:08, Peter Bowen wrote:
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter <[email protected]> wrote:
On 2 November 2016 at 09:44, Jakob Bohm <[email protected]> wrote:
The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obligated to revoke. I don't agree with that. If a user
purchased a domain from someone (or bought a recently expired domain)
and a TLS certificate was still valid for it, would the new owner not
be able to get it revoked? If so, how is this different?
Tom,
As written today, there is no obligation of CAs to do anything a the
request of domain registrants. There is an obligation that the CA
SHALL revoke a certificate if:
" The CA is made aware of any circumstance indicating that use of a
Fully-Qualified Domain Name or IP
address in the Certificate is no longer legally permitted (e.g. a
court or arbitrator has revoked a Domain Name
Registrant’s right to use the Domain Name, a relevant licensing or
services agreement between the Domain
Name Registrant and the Applicant has terminated, or the Domain Name
Registrant has failed to renew the
Domain Name)"
Note that the phrase "services agreement" seems to apply directly to
the Cloudflare situation. When a domain owner stops using Cloudflare,
the services agreement between the domain registrant and Cloudflare has
terminated. This when a CA is made aware that a domain registrant has
stopped using Cloudflare, the above clause is triggered directly,
leaving only the possibility that the domain registrant explicitly
wants to keep the certificate in place for an upcoming return to
Cloudflare.
Note that this does not give special authority to registrants. In
particular, the straight up "request revocation" option is limited to
the _Subscriber_, which is the entity that acquired the certificate.
I think that this is a massive gap, especially in the current state of
"WebPKI" where certificates are really a third party (CA) assertion
that they performed a Trust On First Use (TOFU) operation with the
objective that the CA is better positioned avoid attackers than the
party later relying upon the certificate.
Aside, it would be very interesting to watch domain renewals + contact
info changes (if one can do this at scale) and pair it up with the CT
logs to see how much of an issue this is/could be.
Given that every CA I know of will issue a certificate for a validity
period that exceeds the domain registration period, I suspect it is
not hard to find many certificates containing FQDNs under expired
domains.
Again, the above text explicitly says that if the CA is made aware that
the domain has not been renewed, it must act accordingly.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
