Bonjour, Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit : > I am using Cloudflare's DNS service and I found that Cloudflare has issued a > certficate to their server including my domain. But I didn't use any SSL > service of theirs. Is that ok to Mozilla's policy? > > Issued certificate:https://crt.sh/?id=31206531 > My domain is BUPT.MOE
Technically speaking, Cloudflare did not issue a certificate, they requested one and have it been issued by a CA. I won't say wether it's ok for Mozilla or not, but it's at least authorized by the CABForum Baseline Requirements. Cloudflare was the Applicant (it's now the Subscriber), Comodo is the CA, you are the Domain Name Registrant, your Registrar appears to be Hosting Concept (Openprovider), the requested FQDN is bupt.moe. The Applicant requested a certificate for the FQDN to the CA, the CA has several methods declared in its CPS to verify that the Applicant is authorized by the Domain Name Registrant to control the FQDN. Of all these methods, some of them won't work here without your knowledge (phone-call, sending you an email as listed in the Whois, sending an email to admin/administrator/webmaster/hostmaster/postmaster@yourdomain). One of the remaining methods may have been possible only if Cloudflare redirected the DNS record of your FQDN to one of their servers just for the verification to pass ("Having the Applicant demonstrate practical control over the FQDN by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN"), which could be considered problematic. In my opinion, the most plausible verification method in this case is the last one: "Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found in the DNS containing the FQDN"; for example asking the Applicant to add a CA-chosen random value in a TXT record of the FQDN. Since you delegated your DNS server to Cloudflare, you implicitly allowed them to perform this certificate request on your behalf. Ironically, since you're not the Subscriber, you cannot request for the revocation of this certificate, at least not directly to the CA. If you want this certificate to be revoked, you need to ask Cloudflare. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy