it looks quite a lot of CAs may have this class of problem: but as outsiders are hard to get a certificate from every CA, should a root program start a investigation for it? 2024년 1월 10일 수요일 오전 8시 33분 33초 UTC+9에 Antonios Chariton님이 작성:
> Thanks for the great tool Andrew, it’s going to help us troubleshoot and > record things in an easier and more organized manner! > > It’s really nice, constantly improved, and it looks like you made it > during the holidays, so thanks for taking the time then. > > One idea I had was to add 1.1.1.1 at a DTP ( > https://developers.cloudflare.com/1.1.1.1/faq/#can-ips-used-by-1.1.1.1-be-allowlisted > ) > as they seem to be used too by some CAs ( > https://dcv-inspector.com/test/2a87fdfb8c6aed848fe644d269ab44ef ) > > I am happy to send a PR if you’d like this, for > https://github.com/SSLMate/dcv-inspector/blob/main/dtp.go#L44 / > https://github.com/SSLMate/dcv-inspector/blob/main/dtp.go#L64 > > Thanks, > Antonis > > On Jan 7, 2024, at 20:06, Andrew Ayer <[email protected]> wrote: > > Hi Matthew, > > That's a great idea! I've added support for publishing TXT/CAA records > and HTTP files. > > I've also added a CT client to the test result page so you can easily > see all the certificates that have been issued. > > Example test result for a complete Let's Encrypt issuance using lego > with the DNS challenge: > https://dcv-inspector.com/test/f34ceb24402eace6fdef190a3ffd0b1d > > Cheers, > Andrew > > On Fri, 5 Jan 2024 14:58:27 -0500 > "'Matthew McPherrin' via CCADB Public" <[email protected]> wrote: > > That's a great tool! Thank you for sharing it. > > One blind spot I can imagine is, at least for Let's Encrypt, CAA > checking is done only after the initial HTTP/DNS/TLS-ALPN acme > challenge completes. Would you consider allowing the user to upload > TXT or CAA records to the test server, or HTTP response serving, > allowing completion of the validation? > Julia Evan's https://messwithdns.net/ comes to mind as an example of a > similar tool, intended as a DNS teaching tool. > > On Sun, Dec 31, 2023 at 12:00___PM Andrew Ayer <[email protected]> > wrote: > > I'm happy to announce a new tool for inspecting the domain > validation practices of CAs: > > https://dcv-inspector.com > > You can use DCV Inspector to determine the vantage points from > which the CA sends domain validation requests, and to detect the > use of Delegated Third Parties, such as Google Public DNS. It > works by creating a unique subdomain for each test. When you > request a certificate from a CA for this subdomain, DCV Inspector > records all of the DNS queries, HTTP requests, and emails sent to > the subdomain, and presents them to you for your inspection. > > Example test report: > https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524 > > At the moment, DCV Inspector doesn't make any assessment about > whether or not the the test results are compliant, but I envision a > future version including some automated compliance checks where > possible. > > DCV Inspector is open source and can be self-hosted if desired. > Bug reports and feature ideas (especially about possible automated > compliance checks) are welcome, either here or at GitHub: > https://github.com/SSLMate/dcv-inspector > > Unfortunately, the majority of CAs are difficult to test because > their certificates cost money or are not even offered to the > general public. A lot of badness may be flying under the radar > as a result, such as the use of public DNS resolvers. Consider > https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only > detected because the CA offers a free ACME endpoint. There are > surely other CAs using public DNS resolvers. > > I believe it would be extremely beneficial to require CAs to offer > some sort of public endpoint for issuing test certificates so that > their domain validation practices can be independently verified. A > more modest proposal that would also help would be requiring CAs to > include a DCV Inspector test report as part of their annual > self-assessment. Would love to hear your thoughts about how to > improve transparency into domain validation practices! > > Regards & happy new year, > Andrew > > -- > You received this message because you are subscribed to the Google > Groups "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > To view this discussion on the web visit > > https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name > . > > > -- > You received this message because you are subscribed to the Google > Groups "CCADB Public" group. To unsubscribe from this group and stop > receiving emails from it, send an email to > [email protected]. To view this discussion on the web > visit > > https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0asKQWo5QdKBo%3DQn9w%2BV5dfQ_NufanzECaO-X%2B%2Bqsd6EQ%40mail.gmail.com > . > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/20240107120653.b0ff7f29b2e18184faf3c68e%40andrewayer.name > . > > > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/b1796a2a-8a7c-4c6d-88ba-0cec5e951404n%40ccadb.org.
