Hi Erwann, I was thinking of more the server (cloud) side of things. I'm not familiar enough with Cloudflare's service, but I imagine that if I have a server set up I will also have access to my private key. If so, I now have access to the private key of the other domains. Perhaps there are protections set up?
Thanks for letting me know about the BR stipulation. I was hoping it would say something but didn't know what. 39 months seems too long though. A lot can happen in 3.5 years. Original Message From: Erwann Abalea Sent: Monday, September 12, 2016 7:41 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Cerificate Concern about Cloudflare's DNS Bonjour, Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit : > I noticed there a several other domains listed on that cert besides Han's > (and wildcard versions for each). Unless Han is the registrar or has some > other affiliation with those domains it seems to me there is a risk of some > private key compromise situation. How is the risk of key compromise higher because there are several domain names in the certificate? > Also, if I want to add a new domain to a cert that has several other domains > already on it, will I need to demonstrate control over all of the domains or > only the new one? For a DV, if you demonstrated control less than 39 months ago, the CA MAY keep the result and issue the certificate for the previously verified domains. Again, this is in the Baseline Requirements, not in this particular CA's CPS. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy