Re: Cerificate Concern about Cloudflare's DNS

On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote: > Can you tell me where that clause indicates that they should use the Alexa > Top 1 million to consider a request "High Risk"? It doesn't, "High risk" is left for the CA's interpretation. But after the fact you can say that

Re: Cerificate Concern about Cloudflare's DNS

On Saturday, November 5, 2016 at 2:54:05 PM UTC-7, Itzhak Daniel wrote: > (to my understanding) They did violate a "SHALL" guideline: > > "The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity for High Risk > Certificate

Re: Cerificate Concern about Cloudflare's DNS

On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote: > ... But because WoSign had done the appropriate domain control checks, > we did not consider this a mistake by WoSign. (to my understanding) They did violate a "SHALL" guideline: "The CA SHALL develop, maintain, and

Re: Cerificate Concern about Cloudflare's DNS

Hi Gerhard, I realise you are upset with what Cloudflare has been doing, but having considered the matter, I think the bottom line is that the only reasonable position for Mozilla to take is "issuances which perform a valid domain control check are OK". We can't go policing the terms of service

Re: Cerificate Concern about Cloudflare's DNS

On 04/11/2016 07:01, Nigel Jones wrote: On 11/09/2016 12:37 AM, Han Yuwei wrote: I am using Cloudflare's DNS service and I found that Cloudflare has issued a certficate to their server including my domain. But I didn't use any SSL service of theirs. Is that ok to Mozilla's policy? Issued

Re: Cerificate Concern about Cloudflare's DNS

On Thu, Nov 03, 2016 at 03:39:11PM -0700, gerhard.tin...@gmail.com wrote: > On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > > Sadly, the shady behaviour is not with Comodo but with Cloudflare.

Re: Cerificate Concern about Cloudflare's DNS

On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As > > cloudflare does not state anywhere that they issue certificates when SSL

Re: Cerificate Concern about Cloudflare's DNS

On Thursday, November 3, 2016 at 1:23:48 PM UTC+1, Rob Stradling wrote: > On 03/11/16 12:13, Han Yuwei wrote: > > 在 2016年11月3日星期四 UTC+8下午7:09:48，Rob Stradling写道： > >> On 03/11/16 09:59, Gervase Markham wrote: > >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > Befor I contacted this

Re: Cerificate Concern about Cloudflare's DNS

On Thursday, November 3, 2016 at 10:59:53 AM UTC+1, Gervase Markham wrote: > On 02/11/16 23:26, wrote: > > Befor I contacted this group, I contacted Cloudflare and asked them > > to stop creating certificates with my domain. The answer in short > > was, ... they cannot change it and as long as I

Re: Cerificate Concern about Cloudflare's DNS

On 03/11/16 14:18, Jakob Bohm wrote: > On 03/11/2016 12:09, Rob Stradling wrote: > >> In my experience, joining Cloudflare's paying tier doesn't guarantee >> that Cloudflare won't also obtain a free cert. >> >> A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying >> tier from

Re: Cerificate Concern about Cloudflare's DNS

On 03/11/2016 12:09, Rob Stradling wrote: In my experience, joining Cloudflare's paying tier doesn't guarantee that Cloudflare won't also obtain a free cert. A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying tier from the start, and we uploaded an EV cert straight away. I

Re: Cerificate Concern about Cloudflare's DNS

On 03/11/16 12:13, Han Yuwei wrote: > 在 2016年11月3日星期四 UTC+8下午7:09:48，Rob Stradling写道： >> On 03/11/16 09:59, Gervase Markham wrote: >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: Befor I contacted this group, I contacted Cloudflare and asked them to stop creating certificates with

Re: Cerificate Concern about Cloudflare's DNS

On 03/11/16 09:59, Gervase Markham wrote: > On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: >> Befor I contacted this group, I contacted Cloudflare and asked them >> to stop creating certificates with my domain. The answer in short >> was, ... they cannot change it and as long as I am using

Re: Cerificate Concern about Cloudflare's DNS

On 03/11/16 10:59, Gervase Markham wrote: > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > Befor I contacted this group, I contacted Cloudflare and asked them > to stop creating certificates with my domain. The answer in short > was, ... they cannot change it and as long as I am using there > service, they will continue. How would

Re: [FORGED] Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, November 2, 2016 at 11:34:44 PM UTC+1, Peter Gutmann wrote: > Tom Ritter writes: > > >There's been (some) mention that even if a user moves off Cloudflare, the CA > >is not obligated to revoke. > > Would it matter? I guess it depends on circumstances (whether you control the >

Re: Cerificate Concern about Cloudflare's DNS

sissuance because we will give CloudFlare any cert they > want." > > > > > > > > > > From: gerhard...@gmail.com > Sent: Wednesday, November 2, 2016 4:16 AM > To: mozilla-dev-s...@lists.mozilla.org > Subject: Re: Cerificate

Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, November 2, 2016 at 11:42:00 PM UTC+1, Kristian Fiskerstrand wrote: > On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > > This raises an interesting point and I'd be interested in any comments > > ‎that Comodo or other CA's might have. > > > > It really seems like a matter of

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 02, 2016 at 09:50:41PM -0700, Han Yuwei wrote: > 在 2016年9月10日星期六 UTC+8下午8:37:40，Han Yuwei写道： > > I am using Cloudflare's DNS service and I found that Cloudflare has issued > > a certficate to their server including my domain. But I didn't use any SSL > > service of theirs. Is that ok

Re: Cerificate Concern about Cloudflare's DNS

在 2016年9月10日星期六 UTC+8下午8:37:40，Han Yuwei写道： > I am using Cloudflare's DNS service and I found that Cloudflare has issued a > certficate to their server including my domain. But I didn't use any SSL > service of theirs. Is that ok to Mozilla's policy? > > Issued

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 02, 2016 at 03:44:16PM +0100, Jakob Bohm wrote: > What is the expected behaviour of a CA when they become aware that > someone is using illicit/dubious methods to pass an otherwise correct > application of BR and CPS mandated checks? The "fraud or misuse" reason for revocation would

Re: Cerificate Concern about Cloudflare's DNS

: Cerificate Concern about Cloudflare's DNS On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments > ‎that Comodo or other CA's might have. > It really seems like a matter of discussion for the terms of agreement and interactio

Re: Cerificate Concern about Cloudflare's DNS

On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments > ‎that Comodo or other CA's might have. > It really seems like a matter of discussion for the terms of agreement and interaction between the user and service provider, and not

Re: Cerificate Concern about Cloudflare's DNS

This raises an interesting point and I'd be interested in any comments ‎that Comodo or other CA's might have.It appears we have a situation where a cert is being issued to what is presumably an authorized party

Re: [FORGED] Re: Cerificate Concern about Cloudflare's DNS

Tom Ritter writes: >There's been (some) mention that even if a user moves off Cloudflare, the CA >is not obligated to revoke. Would it matter? I guess it depends on circumstances (whether you control the private key or Cloudflare does, whether you intend to use the same domain

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 2, 2016 at 9:38 AM, Jakob Bohm wrote: > On 02/11/2016 17:08, Peter Bowen wrote: >> >> On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: >>> >>> On 2 November 2016 at 09:44, Jakob Bohm wrote: The only thing that

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/16 16:01, Nick Lamb wrote: > Maybe this can to some extent be fixed, but there are many other ways > in which DNS names now have a footprint that extends beyond the life > of the domain registration. Cookies and HSTS rules, spam blocks, > Google search karma, and so on. So arguably buying

RE: Cerificate Concern about Cloudflare's DNS

Cerificate Concern about Cloudflare's DNS On 2 November 2016 at 11:24, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > Revocation support for non-subscribers is sort of implied...sort of: > > Section 4.9.3: > The CA SHALL provide Subscribers, Relying Parties, Application > Soft

Re: Cerificate Concern about Cloudflare's DNS

On 2 November 2016 at 11:24, Jeremy Rowley wrote: > Revocation support for non-subscribers is sort of implied...sort of: > > Section 4.9.3: > The CA SHALL provide Subscribers, Relying Parties, Application Software > Suppliers, and other third parties with > clear

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/2016 17:08, Peter Bowen wrote: On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: On 2 November 2016 at 09:44, Jakob Bohm wrote: The only thing that might be a CA / BR issue would be this: There's been (some) mention that even if a user moves

RE: Cerificate Concern about Cloudflare's DNS

=digicert@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Wednesday, November 2, 2016 10:08 AM To: Tom Ritter <t...@ritter.vg> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Jakob Bohm <jb-mozi...@wisemo.com> Subject: Re: Cerificate Concern about Cloudflare's DNS On Wed, Nov

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: > On 2 November 2016 at 09:44, Jakob Bohm wrote: >> The only thing that might be a CA / BR issue would be this: > > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not

Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, 2 November 2016 15:26:37 UTC, Tom Ritter wrote: > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not obligated to revoke. I don't agree with that. If a user > purchased a domain from someone (or bought a recently expired domain) > and a TLS

Re: Cerificate Concern about Cloudflare's DNS

On 2 November 2016 at 09:44, Jakob Bohm wrote: > The only thing that might be a CA / BR issue would be this: There's been (some) mention that even if a user moves off Cloudflare, the CA is not obligated to revoke. I don't agree with that. If a user purchased a domain from

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/2016 15:05, Ryan Sleevi wrote: On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote: This is where I strongly disagree! I have checked the TOS and Security policy, ... etc. There is nowhere stated that Cloudflare is allowed without the Users knowledge to

Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote: > This is where I strongly disagree! I have checked the TOS and Security > policy, ... etc. There is nowhere stated that Cloudflare is allowed without > the Users knowledge to manipulate there DNS settings. That sad,

Re: Cerificate Concern about Cloudflare's DNS

Hi, > > Since you delegated your DNS server to Cloudflare, you implicitly allowed > them to perform this certificate request on your behalf. > > This is where I strongly disagree! I have checked the TOS and Security policy, ... etc. There is nowhere stated that Cloudflare is allowed without

Re: Cerificate Concern about Cloudflare's DNS

* Patrick Figel: > On 17/09/16 16:38, Florian Weimer wrote: >> * Peter Bowen: >> >>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei >>> wrote: So when I delegated the DNS service to Cloudflare, Cloudflare have the privilege to issue the certificate by default? Can

Re: Cerificate Concern about Cloudflare's DNS

On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote: > * Peter Bowen: > > > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: > >> So when I delegated the DNS service to Cloudflare, Cloudflare have > >> the privilege to issue the certificate by default? Can I

Re: Cerificate Concern about Cloudflare's DNS

On 17/09/16 16:38, Florian Weimer wrote: > * Peter Bowen: > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei >> wrote: >>> So when I delegated the DNS service to Cloudflare, Cloudflare >>> have the privilege to issue the certificate by default? Can I >>> understand like

Re: Cerificate Concern about Cloudflare's DNS

* Peter Bowen: > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: >> So when I delegated the DNS service to Cloudflare, Cloudflare have >> the privilege to issue the certificate by default? Can I understand >> like that? > > I would guess that they have a clause in their

Re: Cerificate Concern about Cloudflare's DNS

* Ben Laurie: > On 10 September 2016 at 15:43, Erwann Abalea wrote: >> Ironically, since you're not the Subscriber, you cannot request for >> the revocation of this certificate, at least not directly to the >> CA. If you want this certificate to be revoked, you need to ask >>

Re: Cerificate Concern about Cloudflare's DNS

On 09/10/2016 05:43 PM, Erwann Abalea wrote: > Bonjour, > > Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : >> I am using Cloudflare's DNS service and I found that Cloudflare has issued a >> certficate to their server including my domain. But I didn't use any SSL >> service of

Re: Cerificate Concern about Cloudflare's DNS

On Tue, Sep 13, 2016 at 07:04:31AM -0700, Han Yuwei wrote: > 在 2016年9月13日星期二 UTC+8下午7:12:22，Matt Palmer写道： > > On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote: > > > 在 2016年9月13日星期二 UTC+8上午8:07:31，Matt Palmer写道： > > > I am the owner of BUPT.MOE and I just use DNS service. > > > > And

Re: Cerificate Concern about Cloudflare's DNS

On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote: > 在 2016年9月13日星期二 UTC+8上午8:07:31，Matt Palmer写道： > > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its > > DNS-using (only) customers on the "off chance" that they might want to use > > their proxy services in the

Re: Cerificate Concern about Cloudflare's DNS

On Sat, Sep 10, 2016 at 06:33:59PM -0700, xiaoyi...@outlook.com wrote: > But is it a OK behavior if a CDN vendor doesn't immediately revoke the old > cert after I stop using its CDN service? I don't think it's automatically terrible behaviour. Plenty of people let certificates lapse rather than

Re: Cerificate Concern about Cloudflare's DNS

在 2016年9月13日星期二 UTC+8上午8:07:31，Matt Palmer写道： > On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote: > > On 12/09/16 18:57, Jakob Bohm wrote: > > > On 11/09/2016 07:49, Peter Bowen wrote: > > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: > > >>> So when I

Re: Cerificate Concern about Cloudflare's DNS

On 13/09/2016 01:28, Ryan Sleevi wrote: On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote: Note that this is *entirely* outside CA/B and CA inclusion related guidelines, since CloudFlare is (presumably) not a CA and thus not subject to such guidelines. Then isn't it also

Re: Cerificate Concern about Cloudflare's DNS

On Saturday, September 10, 2016 at 10:44:05 AM UTC-4, Erwann Abalea wrote: > Bonjour, > > Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : > > I am using Cloudflare's DNS service and I found that Cloudflare has issued > > a certficate to their server including my domain. But I

Re: Cerificate Concern about Cloudflare's DNS

On Monday, September 12, 2016 at 2:43:09 PM UTC+1, Peter Kurrasch wrote: > I was thinking of more the server (cloud) side of things. I'm not familiar > enough with Cloudflare's service, but I imagine that if I have a server set > up I will also have access to my private key. If so, I now have

Re: Cerificate Concern about Cloudflare's DNS

On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote: > On 12/09/16 18:57, Jakob Bohm wrote: > > On 11/09/2016 07:49, Peter Bowen wrote: > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: > >>> So when I delegated the DNS service to Cloudflare, Cloudflare have

Re: Cerificate Concern about Cloudflare's DNS

On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote: > Note that this is *entirely* outside CA/B and CA inclusion related > guidelines, since CloudFlare is (presumably) not a CA and thus not > subject to such guidelines. Then isn't it also generally outside the scope of this list?

Re: Cerificate Concern about Cloudflare's DNS

On 12/09/2016 23:48, Ryan Sleevi wrote: On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote: I find fault in CloudFlare (presuming the story is actually as reported). Why? Apologies, but I fail to see what you believe is "wrong", given how multiple people have pointed to you

Re: Cerificate Concern about Cloudflare's DNS

On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote: > I find fault in CloudFlare (presuming the story is actually as > reported). Why? Apologies, but I fail to see what you believe is "wrong", given how multiple people have pointed to you it being well-understood and

Re: Cerificate Concern about Cloudflare's DNS

On 12/09/2016 21:57, Rob Stradling wrote: On 12/09/16 18:57, Jakob Bohm wrote: On 11/09/2016 07:49, Peter Bowen wrote: On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: So when I delegated the DNS service to Cloudflare, Cloudflare have the privilege to issue the

Re: Cerificate Concern about Cloudflare's DNS

On 12/09/16 18:57, Jakob Bohm wrote: > On 11/09/2016 07:49, Peter Bowen wrote: >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: >>> So when I delegated the DNS service to Cloudflare, Cloudflare have >>> the privilege to issue the certificate by default? Can I understand

Re: Cerificate Concern about Cloudflare's DNS

On 11/09/2016 07:49, Peter Bowen wrote: On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: So when I delegated the DNS service to Cloudflare, Cloudflare have the privilege to issue the certificate by default? Can I understand like that? I would guess that they have a

Re: Cerificate Concern about Cloudflare's DNS

Le lundi 12 septembre 2016 15:59:14 UTC+2, Ben Laurie a écrit : > On 10 September 2016 at 15:43, Erwann Abalea wrote: > > Ironically, since you're not the Subscriber, you cannot request for the > > revocation of this certificate, at least not directly to the CA. If you > >

Re: Cerificate Concern about Cloudflare's DNS

On Mon, Sep 12, 2016 at 6:42 AM, Peter Kurrasch wrote: > I was thinking of more the server (cloud) side of things. I'm not familiar > enough with Cloudflare's service, but I imagine that if I have a server set > up I will also have access to my private key. If so, I now have

Re: Cerificate Concern about Cloudflare's DNS

-security-pol...@lists.mozilla.org Subject: Re: Cerificate Concern about Cloudflare's DNS Bonjour, Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit : > I noticed there a several other domains listed on that cert besides Han's > (and wildcard versions for each).‎ Unle

Re: Cerificate Concern about Cloudflare's DNS

Bonjour, Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit : > I noticed there a several other domains listed on that cert besides Han's > (and wildcard versions for each).‎ Unless Han is the registrar or has some > other affiliation with those domains it seems to me there is a

Re: Cerificate Concern about Cloudflare's DNS

: Cerificate Concern about Cloudflare's DNS On 10/09/16 15:43, Erwann Abalea wrote: > In my opinion, the most plausible verification method in this case is the > last one: "Having the Applicant demonstrate practical control over the FQDN > by making an agreed-upon change to inf

Re: Cerificate Concern about Cloudflare's DNS

On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: > So when I delegated the DNS service to Cloudflare, Cloudflare have the > privilege to issue the certificate by default? Can I understand like that? I would guess that they have a clause in their terms of service or

Re: Cerificate Concern about Cloudflare's DNS

在 2016年9月10日星期六 UTC+8下午10:44:05，Erwann Abalea写道： > Bonjour, > > Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : > > I am using Cloudflare's DNS service and I found that Cloudflare has issued > > a certficate to their server including my domain. But I didn't use any SSL > >

Re: Cerificate Concern about Cloudflare's DNS

Bonjour, Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : > I am using Cloudflare's DNS service and I found that Cloudflare has issued a > certficate to their server including my domain. But I didn't use any SSL > service of theirs. Is that ok to Mozilla's policy? > > Issued

Cerificate Concern about Cloudflare's DNS

I am using Cloudflare's DNS service and I found that Cloudflare has issued a certficate to their server including my domain. But I didn't use any SSL service of theirs. Is that ok to Mozilla's policy? Issued certificate:https://crt.sh/?id=31206531 My domain is BUPT.MOE