Hi Matthew, That's a great idea! I've added support for publishing TXT/CAA records and HTTP files.
I've also added a CT client to the test result page so you can easily see all the certificates that have been issued. Example test result for a complete Let's Encrypt issuance using lego with the DNS challenge: https://dcv-inspector.com/test/f34ceb24402eace6fdef190a3ffd0b1d Cheers, Andrew On Fri, 5 Jan 2024 14:58:27 -0500 "'Matthew McPherrin' via CCADB Public" <[email protected]> wrote: > That's a great tool! Thank you for sharing it. > > One blind spot I can imagine is, at least for Let's Encrypt, CAA > checking is done only after the initial HTTP/DNS/TLS-ALPN acme > challenge completes. Would you consider allowing the user to upload > TXT or CAA records to the test server, or HTTP response serving, > allowing completion of the validation? > Julia Evan's https://messwithdns.net/ comes to mind as an example of a > similar tool, intended as a DNS teaching tool. > > On Sun, Dec 31, 2023 at 12:00___PM Andrew Ayer <[email protected]> > wrote: > > > I'm happy to announce a new tool for inspecting the domain > > validation practices of CAs: > > > > https://dcv-inspector.com > > > > You can use DCV Inspector to determine the vantage points from > > which the CA sends domain validation requests, and to detect the > > use of Delegated Third Parties, such as Google Public DNS. It > > works by creating a unique subdomain for each test. When you > > request a certificate from a CA for this subdomain, DCV Inspector > > records all of the DNS queries, HTTP requests, and emails sent to > > the subdomain, and presents them to you for your inspection. > > > > Example test report: > > https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524 > > > > At the moment, DCV Inspector doesn't make any assessment about > > whether or not the the test results are compliant, but I envision a > > future version including some automated compliance checks where > > possible. > > > > DCV Inspector is open source and can be self-hosted if desired. > > Bug reports and feature ideas (especially about possible automated > > compliance checks) are welcome, either here or at GitHub: > > https://github.com/SSLMate/dcv-inspector > > > > Unfortunately, the majority of CAs are difficult to test because > > their certificates cost money or are not even offered to the > > general public. A lot of badness may be flying under the radar > > as a result, such as the use of public DNS resolvers. Consider > > https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only > > detected because the CA offers a free ACME endpoint. There are > > surely other CAs using public DNS resolvers. > > > > I believe it would be extremely beneficial to require CAs to offer > > some sort of public endpoint for issuing test certificates so that > > their domain validation practices can be independently verified. A > > more modest proposal that would also help would be requiring CAs to > > include a DCV Inspector test report as part of their annual > > self-assessment. Would love to hear your thoughts about how to > > improve transparency into domain validation practices! > > > > Regards & happy new year, > > Andrew > > > > -- > > You received this message because you are subscribed to the Google > > Groups "CCADB Public" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name > > . > > > > -- > You received this message because you are subscribed to the Google > Groups "CCADB Public" group. To unsubscribe from this group and stop > receiving emails from it, send an email to > [email protected]. To view this discussion on the web > visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0asKQWo5QdKBo%3DQn9w%2BV5dfQ_NufanzECaO-X%2B%2Bqsd6EQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20240107120653.b0ff7f29b2e18184faf3c68e%40andrewayer.name.
