That's a great tool! Thank you for sharing it. One blind spot I can imagine is, at least for Let's Encrypt, CAA checking is done only after the initial HTTP/DNS/TLS-ALPN acme challenge completes. Would you consider allowing the user to upload TXT or CAA records to the test server, or HTTP response serving, allowing completion of the validation? Julia Evan's https://messwithdns.net/ comes to mind as an example of a similar tool, intended as a DNS teaching tool.
On Sun, Dec 31, 2023 at 12:00 PM Andrew Ayer <[email protected]> wrote: > I'm happy to announce a new tool for inspecting the domain validation > practices of CAs: > > https://dcv-inspector.com > > You can use DCV Inspector to determine the vantage points from which the > CA sends domain validation requests, and to detect the use of Delegated > Third Parties, such as Google Public DNS. It works by creating a unique > subdomain for each test. When you request a certificate from a > CA for this subdomain, DCV Inspector records all of the DNS queries, > HTTP requests, and emails sent to the subdomain, and presents them > to you for your inspection. > > Example test report: > https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524 > > At the moment, DCV Inspector doesn't make any assessment about whether > or not the the test results are compliant, but I envision a future > version including some automated compliance checks where possible. > > DCV Inspector is open source and can be self-hosted if desired. > Bug reports and feature ideas (especially about possible automated > compliance checks) are welcome, either here or at GitHub: > https://github.com/SSLMate/dcv-inspector > > Unfortunately, the majority of CAs are difficult to test because > their certificates cost money or are not even offered to the > general public. A lot of badness may be flying under the radar > as a result, such as the use of public DNS resolvers. Consider > https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only > detected because the CA offers a free ACME endpoint. There are surely > other CAs using public DNS resolvers. > > I believe it would be extremely beneficial to require CAs to offer some > sort of public endpoint for issuing test certificates so that their > domain validation practices can be independently verified. A more > modest proposal that would also help would be requiring CAs to include > a DCV Inspector test report as part of their annual self-assessment. > Would love to hear your thoughts about how to improve transparency into > domain validation practices! > > Regards & happy new year, > Andrew > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0asKQWo5QdKBo%3DQn9w%2BV5dfQ_NufanzECaO-X%2B%2Bqsd6EQ%40mail.gmail.com.
