Amazing! I'm sure this will be a helpful tool. Thanks so much for taking the time to build and share it.
On Sun, Jan 7, 2024 at 2:06 PM Andrew Ayer <[email protected]> wrote: > Hi Matthew, > > That's a great idea! I've added support for publishing TXT/CAA records > and HTTP files. > > I've also added a CT client to the test result page so you can easily > see all the certificates that have been issued. > > Example test result for a complete Let's Encrypt issuance using lego > with the DNS challenge: > https://dcv-inspector.com/test/f34ceb24402eace6fdef190a3ffd0b1d > > Cheers, > Andrew > > On Fri, 5 Jan 2024 14:58:27 -0500 > "'Matthew McPherrin' via CCADB Public" <[email protected]> wrote: > > > That's a great tool! Thank you for sharing it. > > > > One blind spot I can imagine is, at least for Let's Encrypt, CAA > > checking is done only after the initial HTTP/DNS/TLS-ALPN acme > > challenge completes. Would you consider allowing the user to upload > > TXT or CAA records to the test server, or HTTP response serving, > > allowing completion of the validation? > > Julia Evan's https://messwithdns.net/ comes to mind as an example of a > > similar tool, intended as a DNS teaching tool. > > > > On Sun, Dec 31, 2023 at 12:00___PM Andrew Ayer <[email protected]> > > wrote: > > > > > I'm happy to announce a new tool for inspecting the domain > > > validation practices of CAs: > > > > > > https://dcv-inspector.com > > > > > > You can use DCV Inspector to determine the vantage points from > > > which the CA sends domain validation requests, and to detect the > > > use of Delegated Third Parties, such as Google Public DNS. It > > > works by creating a unique subdomain for each test. When you > > > request a certificate from a CA for this subdomain, DCV Inspector > > > records all of the DNS queries, HTTP requests, and emails sent to > > > the subdomain, and presents them to you for your inspection. > > > > > > Example test report: > > > https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524 > > > > > > At the moment, DCV Inspector doesn't make any assessment about > > > whether or not the the test results are compliant, but I envision a > > > future version including some automated compliance checks where > > > possible. > > > > > > DCV Inspector is open source and can be self-hosted if desired. > > > Bug reports and feature ideas (especially about possible automated > > > compliance checks) are welcome, either here or at GitHub: > > > https://github.com/SSLMate/dcv-inspector > > > > > > Unfortunately, the majority of CAs are difficult to test because > > > their certificates cost money or are not even offered to the > > > general public. A lot of badness may be flying under the radar > > > as a result, such as the use of public DNS resolvers. Consider > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only > > > detected because the CA offers a free ACME endpoint. There are > > > surely other CAs using public DNS resolvers. > > > > > > I believe it would be extremely beneficial to require CAs to offer > > > some sort of public endpoint for issuing test certificates so that > > > their domain validation practices can be independently verified. A > > > more modest proposal that would also help would be requiring CAs to > > > include a DCV Inspector test report as part of their annual > > > self-assessment. Would love to hear your thoughts about how to > > > improve transparency into domain validation practices! > > > > > > Regards & happy new year, > > > Andrew > > > > > > -- > > > You received this message because you are subscribed to the Google > > > Groups "CCADB Public" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email to [email protected]. > > > To view this discussion on the web visit > > > > https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name > > > . > > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "CCADB Public" group. To unsubscribe from this group and stop > > receiving emails from it, send an email to > > [email protected]. To view this discussion on the web > > visit > > > https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0asKQWo5QdKBo%3DQn9w%2BV5dfQ_NufanzECaO-X%2B%2Bqsd6EQ%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0YMPRCFoNQpWYEFSrsr27A%3DPYjWE1z1NqXW%2B%2B_N6nXBAA%40mail.gmail.com.
