On Wed, Nov 2, 2016 at 9:38 AM, Jakob Bohm <jb-mozi...@wisemo.com> wrote: > On 02/11/2016 17:08, Peter Bowen wrote: >> >> On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter <t...@ritter.vg> wrote: >>> >>> On 2 November 2016 at 09:44, Jakob Bohm <jb-mozi...@wisemo.com> wrote: >>>> >>>> The only thing that might be a CA / BR issue would be this: >>> >>> >>> There's been (some) mention that even if a user moves off Cloudflare, >>> the CA is not obligated to revoke. I don't agree with that. If a user >>> purchased a domain from someone (or bought a recently expired domain) >>> and a TLS certificate was still valid for it, would the new owner not >>> be able to get it revoked? If so, how is this different? >> >> >> Tom, >> >> As written today, there is no obligation of CAs to do anything a the >> request of domain registrants. There is an obligation that the CA >> SHALL revoke a certificate if: >> >> " The CA is made aware of any circumstance indicating that use of a >> Fully-Qualified Domain Name or IP >> address in the Certificate is no longer legally permitted (e.g. a >> court or arbitrator has revoked a Domain Name >> Registrant’s right to use the Domain Name, a relevant licensing or >> services agreement between the Domain >> Name Registrant and the Applicant has terminated, or the Domain Name >> Registrant has failed to renew the >> Domain Name)" >> > > Note that the phrase "services agreement" seems to apply directly to > the Cloudflare situation. When a domain owner stops using Cloudflare, > the services agreement between the domain registrant and Cloudflare has > terminated. This when a CA is made aware that a domain registrant has > stopped using Cloudflare, the above clause is triggered directly, > leaving only the possibility that the domain registrant explicitly > wants to keep the certificate in place for an upcoming return to > Cloudflare.
I agree that would appear to cover this case. >> Note that this does not give special authority to registrants. In >> particular, the straight up "request revocation" option is limited to >> the _Subscriber_, which is the entity that acquired the certificate. >> >> I think that this is a massive gap, especially in the current state of >> "WebPKI" where certificates are really a third party (CA) assertion >> that they performed a Trust On First Use (TOFU) operation with the >> objective that the CA is better positioned avoid attackers than the >> party later relying upon the certificate. >> >>> Aside, it would be very interesting to watch domain renewals + contact >>> info changes (if one can do this at scale) and pair it up with the CT >>> logs to see how much of an issue this is/could be. >> >> >> Given that every CA I know of will issue a certificate for a validity >> period that exceeds the domain registration period, I suspect it is >> not hard to find many certificates containing FQDNs under expired >> domains. >> > > Again, the above text explicitly says that if the CA is made aware that > the domain has not been renewed, it must act accordingly. Yes, but it does not require CAs to go checking such. I strongly doubt any CA is proactively revoking certificates for expired domains. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
