Posting on behalf of [email protected] . Note, please do not take this as an endorsement of the comments.
On Fri, Feb 24, 2017 at 3:08 PM, Ryan Sleevi <[email protected]> wrote: > > My own is I'd be willing to deal with the increased risk (that comes from > using "Example CA"'s DNS services, which would allow them to potentially > issue a certificate in contravention of my CAA record), so long as it could > be clear as a domain holder that I'm accepting that risk. If I didn't want > it, I'd just choose to operate my DNS from someone who is not a CA > (assuming I could determine that). > I'd like to ask for consideration of what I'd call the "Cloudflare problem" -- providers who mandate the use of their DNS service in order to use other, marginally-related services[1]. Were there an organisation which had a "must delegate to us" policy which also operated a CA, they would, by this suggestion that "DNS operator == full authoritah", have authority to issue certificates for the domain. While migrating away from (or deciding not to use) services which require DNS delegation is, indeed, entirely possible, the bundling of other services changes the migration calculus quite considerably. Losing a number of other useful, valuable services in order to maintain control over certificate issuance is a lot harder to swallow than "just" migrating DNS. My main concern, in the general case, is that a rule such as that proposed would encourage more CA-affiliated services to put in place a "delegate only" policy in order to allow an end-run around CAA checking. I don't think that serves the interests of any stakeholder in the WebPKI, other than CAs. - Matt [1] For those who aren't aware, in order to use Cloudflare's DDoS protection and other security services, you *must* delegate your domain to their DNS servers (with one or two exceptions that aren't relevant to 99%+ of all potential users of their service). No delegation -> no service.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
