On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote:
> Can you tell me where that clause indicates that they should use the Alexa
> Top 1 million to consider a request "High Risk"?
It doesn't, "High risk" is left for the CA's interpretation. But after the fact
you can say that
On Saturday, November 5, 2016 at 2:54:05 PM UTC-7, Itzhak Daniel wrote:
> (to my understanding) They did violate a "SHALL" guideline:
>
> "The CA SHALL develop, maintain, and implement documented procedures that
> identify and require additional verification activity for High Risk
> Certificate
On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote:
> ... But because WoSign had done the appropriate domain control checks,
> we did not consider this a mistake by WoSign.
(to my understanding) They did violate a "SHALL" guideline:
"The CA SHALL develop, maintain, and
Hi Gerhard,
I realise you are upset with what Cloudflare has been doing, but having
considered the matter, I think the bottom line is that the only
reasonable position for Mozilla to take is "issuances which perform a
valid domain control check are OK". We can't go policing the terms of
service
On 04/11/2016 07:01, Nigel Jones wrote:
On 11/09/2016 12:37 AM, Han Yuwei wrote:
I am using Cloudflare's DNS service and I found that Cloudflare has
issued a certficate to their server including my domain. But I didn't
use any SSL service of theirs. Is that ok to Mozilla's policy?
Issued
On Thu, Nov 03, 2016 at 03:39:11PM -0700, gerhard.tin...@gmail.com wrote:
> On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote:
> > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote:
> > > Sadly, the shady behaviour is not with Comodo but with Cloudflare.
On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote:
> On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote:
> > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As
> > cloudflare does not state anywhere that they issue certificates when SSL
On Thursday, November 3, 2016 at 1:23:48 PM UTC+1, Rob Stradling wrote:
> On 03/11/16 12:13, Han Yuwei wrote:
> > 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道:
> >> On 03/11/16 09:59, Gervase Markham wrote:
> >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote:
> Befor I contacted this
On Thursday, November 3, 2016 at 10:59:53 AM UTC+1, Gervase Markham wrote:
> On 02/11/16 23:26, wrote:
> > Befor I contacted this group, I contacted Cloudflare and asked them
> > to stop creating certificates with my domain. The answer in short
> > was, ... they cannot change it and as long as I
On 03/11/16 14:18, Jakob Bohm wrote:
> On 03/11/2016 12:09, Rob Stradling wrote:
>
>> In my experience, joining Cloudflare's paying tier doesn't guarantee
>> that Cloudflare won't also obtain a free cert.
>>
>> A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying
>> tier from
On 03/11/2016 12:09, Rob Stradling wrote:
In my experience, joining Cloudflare's paying tier doesn't guarantee
that Cloudflare won't also obtain a free cert.
A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying
tier from the start, and we uploaded an EV cert straight away. I
On 03/11/16 12:13, Han Yuwei wrote:
> 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道:
>> On 03/11/16 09:59, Gervase Markham wrote:
>>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote:
Befor I contacted this group, I contacted Cloudflare and asked them
to stop creating certificates with
On 03/11/16 09:59, Gervase Markham wrote:
> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote:
>> Befor I contacted this group, I contacted Cloudflare and asked them
>> to stop creating certificates with my domain. The answer in short
>> was, ... they cannot change it and as long as I am using
On 03/11/16 10:59, Gervase Markham wrote:
> However, I still don't get why you want to use Cloudflare's SSL
> termination services but are unwilling to allow them to get a
> certificate for your domain name.
>
> AIUI their free tier uses certs they obtain, but if you pay, you can
> provide your
On 02/11/16 23:26, gerhard.tin...@gmail.com wrote:
> Befor I contacted this group, I contacted Cloudflare and asked them
> to stop creating certificates with my domain. The answer in short
> was, ... they cannot change it and as long as I am using there
> service, they will continue.
How would
On Wednesday, November 2, 2016 at 11:34:44 PM UTC+1, Peter Gutmann wrote:
> Tom Ritter writes:
>
> >There's been (some) mention that even if a user moves off Cloudflare, the CA
> >is not obligated to revoke.
>
> Would it matter? I guess it depends on circumstances (whether you control the
>
sissuance because we will give CloudFlare any cert they
> want."
>
>
> >
>
> >
> >
> From: gerhard...@gmail.com
> Sent: Wednesday, November 2, 2016 4:16 AM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: Cerificate
On Wednesday, November 2, 2016 at 11:42:00 PM UTC+1, Kristian Fiskerstrand
wrote:
> On 11/02/2016 11:38 PM, Peter Kurrasch wrote:
> > This raises an interesting point and I'd be interested in any comments
> > that Comodo or other CA's might have.
> >
>
> It really seems like a matter of
On Wed, Nov 02, 2016 at 09:50:41PM -0700, Han Yuwei wrote:
> 在 2016年9月10日星期六 UTC+8下午8:37:40,Han Yuwei写道:
> > I am using Cloudflare's DNS service and I found that Cloudflare has issued
> > a certficate to their server including my domain. But I didn't use any SSL
> > service of theirs. Is that ok
在 2016年9月10日星期六 UTC+8下午8:37:40,Han Yuwei写道:
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued
On Wed, Nov 02, 2016 at 03:44:16PM +0100, Jakob Bohm wrote:
> What is the expected behaviour of a CA when they become aware that
> someone is using illicit/dubious methods to pass an otherwise correct
> application of BR and CPS mandated checks?
The "fraud or misuse" reason for revocation would
: Cerificate Concern about Cloudflare's DNS
On 11/02/2016 11:38 PM, Peter Kurrasch wrote:
> This raises an interesting point and I'd be interested in any comments
> that Comodo or other CA's might have.
>
It really seems like a matter of discussion for the terms of agreement
and interactio
On 11/02/2016 11:38 PM, Peter Kurrasch wrote:
> This raises an interesting point and I'd be interested in any comments
> that Comodo or other CA's might have.
>
It really seems like a matter of discussion for the terms of agreement
and interaction between the user and service provider, and not
This raises an interesting point and I'd be interested in any comments that Comodo or other CA's might have.It appears we have a situation where a cert is being issued to what is presumably an authorized party
Tom Ritter writes:
>There's been (some) mention that even if a user moves off Cloudflare, the CA
>is not obligated to revoke.
Would it matter? I guess it depends on circumstances (whether you control the
private key or Cloudflare does, whether you intend to use the same domain
On Wed, Nov 2, 2016 at 9:38 AM, Jakob Bohm wrote:
> On 02/11/2016 17:08, Peter Bowen wrote:
>>
>> On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
>>>
>>> On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that
On 02/11/16 16:01, Nick Lamb wrote:
> Maybe this can to some extent be fixed, but there are many other ways
> in which DNS names now have a footprint that extends beyond the life
> of the domain registration. Cookies and HSTS rules, spam blocks,
> Google search karma, and so on. So arguably buying
Cerificate Concern about Cloudflare's DNS
On 2 November 2016 at 11:24, Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> Revocation support for non-subscribers is sort of implied...sort of:
>
> Section 4.9.3:
> The CA SHALL provide Subscribers, Relying Parties, Application
> Soft
On 2 November 2016 at 11:24, Jeremy Rowley wrote:
> Revocation support for non-subscribers is sort of implied...sort of:
>
> Section 4.9.3:
> The CA SHALL provide Subscribers, Relying Parties, Application Software
> Suppliers, and other third parties with
> clear
On 02/11/2016 17:08, Peter Bowen wrote:
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves
=digicert@lists.mozilla.org]
On Behalf Of Peter Bowen
Sent: Wednesday, November 2, 2016 10:08 AM
To: Tom Ritter <t...@ritter.vg>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm
<jb-mozi...@wisemo.com>
Subject: Re: Cerificate Concern about Cloudflare's DNS
On Wed, Nov
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
> On 2 November 2016 at 09:44, Jakob Bohm wrote:
>> The only thing that might be a CA / BR issue would be this:
>
> There's been (some) mention that even if a user moves off Cloudflare,
> the CA is not
On Wednesday, 2 November 2016 15:26:37 UTC, Tom Ritter wrote:
> There's been (some) mention that even if a user moves off Cloudflare,
> the CA is not obligated to revoke. I don't agree with that. If a user
> purchased a domain from someone (or bought a recently expired domain)
> and a TLS
On 2 November 2016 at 09:44, Jakob Bohm wrote:
> The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obligated to revoke. I don't agree with that. If a user
purchased a domain from
On 02/11/2016 15:05, Ryan Sleevi wrote:
On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote:
This is where I strongly disagree! I have checked the TOS and Security policy,
... etc. There is nowhere stated that Cloudflare is allowed without the Users
knowledge to
On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote:
> This is where I strongly disagree! I have checked the TOS and Security
> policy, ... etc. There is nowhere stated that Cloudflare is allowed without
> the Users knowledge to manipulate there DNS settings. That sad,
Hi,
>
> Since you delegated your DNS server to Cloudflare, you implicitly allowed
> them to perform this certificate request on your behalf.
>
>
This is where I strongly disagree! I have checked the TOS and Security policy,
... etc. There is nowhere stated that Cloudflare is allowed without
* Patrick Figel:
> On 17/09/16 16:38, Florian Weimer wrote:
>> * Peter Bowen:
>>
>>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei
>>> wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare
have the privilege to issue the certificate by default? Can
On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote:
> * Peter Bowen:
>
> > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
> >> So when I delegated the DNS service to Cloudflare, Cloudflare have
> >> the privilege to issue the certificate by default? Can I
On 17/09/16 16:38, Florian Weimer wrote:
> * Peter Bowen:
>
>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei
>> wrote:
>>> So when I delegated the DNS service to Cloudflare, Cloudflare
>>> have the privilege to issue the certificate by default? Can I
>>> understand like
* Peter Bowen:
> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
>> So when I delegated the DNS service to Cloudflare, Cloudflare have
>> the privilege to issue the certificate by default? Can I understand
>> like that?
>
> I would guess that they have a clause in their
* Ben Laurie:
> On 10 September 2016 at 15:43, Erwann Abalea wrote:
>> Ironically, since you're not the Subscriber, you cannot request for
>> the revocation of this certificate, at least not directly to the
>> CA. If you want this certificate to be revoked, you need to ask
>>
On 09/10/2016 05:43 PM, Erwann Abalea wrote:
> Bonjour,
>
> Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
>> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
>> certficate to their server including my domain. But I didn't use any SSL
>> service of
On Tue, Sep 13, 2016 at 07:04:31AM -0700, Han Yuwei wrote:
> 在 2016年9月13日星期二 UTC+8下午7:12:22,Matt Palmer写道:
> > On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote:
> > > 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> > > I am the owner of BUPT.MOE and I just use DNS service.
> >
> > And
On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote:
> 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its
> > DNS-using (only) customers on the "off chance" that they might want to use
> > their proxy services in the
On Sat, Sep 10, 2016 at 06:33:59PM -0700, xiaoyi...@outlook.com wrote:
> But is it a OK behavior if a CDN vendor doesn't immediately revoke the old
> cert after I stop using its CDN service?
I don't think it's automatically terrible behaviour. Plenty of people let
certificates lapse rather than
在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote:
> > On 12/09/16 18:57, Jakob Bohm wrote:
> > > On 11/09/2016 07:49, Peter Bowen wrote:
> > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
> > >>> So when I
On 13/09/2016 01:28, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:
Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.
Then isn't it also
On Saturday, September 10, 2016 at 10:44:05 AM UTC-4, Erwann Abalea wrote:
> Bonjour,
>
> Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> > I am using Cloudflare's DNS service and I found that Cloudflare has issued
> > a certficate to their server including my domain. But I
On Monday, September 12, 2016 at 2:43:09 PM UTC+1, Peter Kurrasch wrote:
> I was thinking of more the server (cloud) side of things. I'm not familiar
> enough with Cloudflare's service, but I imagine that if I have a server set
> up I will also have access to my private key. If so, I now have
On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote:
> On 12/09/16 18:57, Jakob Bohm wrote:
> > On 11/09/2016 07:49, Peter Bowen wrote:
> >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
> >>> So when I delegated the DNS service to Cloudflare, Cloudflare have
On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:
> Note that this is *entirely* outside CA/B and CA inclusion related
> guidelines, since CloudFlare is (presumably) not a CA and thus not
> subject to such guidelines.
Then isn't it also generally outside the scope of this list?
On 12/09/2016 23:48, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
I find fault in CloudFlare (presuming the story is actually as
reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have pointed to you
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
> I find fault in CloudFlare (presuming the story is actually as
> reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have pointed to you it being well-understood and
On 12/09/2016 21:57, Rob Stradling wrote:
On 12/09/16 18:57, Jakob Bohm wrote:
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have
the privilege to issue the
On 12/09/16 18:57, Jakob Bohm wrote:
> On 11/09/2016 07:49, Peter Bowen wrote:
>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
>>> So when I delegated the DNS service to Cloudflare, Cloudflare have
>>> the privilege to issue the certificate by default? Can I understand
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have the
privilege to issue the certificate by default? Can I understand like that?
I would guess that they have a
Le lundi 12 septembre 2016 15:59:14 UTC+2, Ben Laurie a écrit :
> On 10 September 2016 at 15:43, Erwann Abalea wrote:
> > Ironically, since you're not the Subscriber, you cannot request for the
> > revocation of this certificate, at least not directly to the CA. If you
> >
On Mon, Sep 12, 2016 at 6:42 AM, Peter Kurrasch wrote:
> I was thinking of more the server (cloud) side of things. I'm not familiar
> enough with Cloudflare's service, but I imagine that if I have a server set
> up I will also have access to my private key. If so, I now have
-security-pol...@lists.mozilla.org
Subject: Re: Cerificate Concern about Cloudflare's DNS
Bonjour,
Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit :
> I noticed there a several other domains listed on that cert besides Han's
> (and wildcard versions for each). Unle
Bonjour,
Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit :
> I noticed there a several other domains listed on that cert besides Han's
> (and wildcard versions for each). Unless Han is the registrar or has some
> other affiliation with those domains it seems to me there is a
: Cerificate Concern about Cloudflare's DNS
On 10/09/16 15:43, Erwann Abalea wrote:
> In my opinion, the most plausible verification method in this case is the
> last one: "Having the Applicant demonstrate practical control over the FQDN
> by making an agreed-upon change to inf
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
> So when I delegated the DNS service to Cloudflare, Cloudflare have the
> privilege to issue the certificate by default? Can I understand like that?
I would guess that they have a clause in their terms of service or
在 2016年9月10日星期六 UTC+8下午10:44:05,Erwann Abalea写道:
> Bonjour,
>
> Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> > I am using Cloudflare's DNS service and I found that Cloudflare has issued
> > a certficate to their server including my domain. But I didn't use any SSL
> >
Bonjour,
Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued
I am using Cloudflare's DNS service and I found that Cloudflare has issued a
certficate to their server including my domain. But I didn't use any SSL
service of theirs. Is that ok to Mozilla's policy?
Issued certificate:https://crt.sh/?id=31206531
My domain is BUPT.MOE
66 matches
Mail list logo