On Wednesday, November 2, 2016 at 11:34:44 PM UTC+1, Peter Gutmann wrote: > Tom Ritter writes: > > >There's been (some) mention that even if a user moves off Cloudflare, the CA > >is not obligated to revoke. > > Would it matter? I guess it depends on circumstances (whether you control the > private key or Cloudflare does, whether you intend to use the same domain > elsewhere or not, etc), but in most cases it seems like no revocation is > necessary, you destroy or stop using the private key and that's it.
That is exactly the point of it, the "domain owner" / "Cloudflare customer" does not have or ever get the key of the certificate that was created without the knowledge of the domain owner. And Cloudflare will continue using the wildcard certificate with a number of domains in them. Oh, and they are valid for 2 years! > Even in > the worst-case scenario, Cloudflare has your private key and you intend to > keep using the domain, presumably there's some contractual obligation for them > to stop using it when you close your account with them. It seems like a > revocation isn't necessary (not just for this but for pretty much every > revocation reason except keyCompromise). > > Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
