I think the whole point of domain validation certificates is taking the human part out of it and verifying technical control of the domain as the standard upon which to base issuance.
Since the CA is also the DNS server, it's more or less a given that they certainly can or would successfully validate. It's noteworthy that domain validation is about demonstrating control rather than ownership. The party actually running the authoritative DNS servers is in control of the domain. I'm not suggesting that the CA did anything untoward in issuing this certificate. I am not suggesting that at all. I am, however, suggesting that even if they admitted to just creating a new certificate for the domain without contacting the owner, I think that wouldn't technically be a misissuance, right? On Thu, Jul 26, 2018 at 10:40 AM, Tom via dev-security-policy < [email protected]> wrote: > On Wednesday, 25 July 2018 21:08:59 UTC, [email protected] wrote: > > Hello, > > > > My domain registrar who is also a certificate authority just issued a > > precertificate (visible in CT logs) and a valid > > certificate for my domain. This is part of their new offer to > automatically offer free certificates for all of their domains: > > https://www.nazwa.pl/certyfikaty-ssl/ > > > > I had a CAA record that only allowed letsencrypt.org to issue > > certificates for my domain: > > `lebihan.pl. 3600 IN CAA 0 issue > > "letsencrypt.org"` > > > > > > I think my domain registrar just violated my CAA by issuing that > > certificate. Where they allowed to issue this certificate? > > > Can you clarify if _you_ initiated the certificate request; or if the > certificate was created and signed without any action from you? > > I think those are two very difference cases. If you initiated it, they > didn't CAA (because they weren't required to.) If you didn't... isn't that > a rogue issuance? > > -tom > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
