On 02/11/2016 15:05, Ryan Sleevi wrote:
On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote:
This is where I strongly disagree! I have checked the TOS and Security policy,
... etc. There is nowhere stated that Cloudflare is allowed without the Users
knowledge to manipulate there DNS settings. That sad, there is the proxy
service they offer which is changing the DNS settings. But as you actively
enable it, you are aware.
Certainly, this is stated via the CA/Browser Forum's Baseline Requirements,
which is incorporated in to the Mozilla Policy by reference and which
enumerates acceptable means to obtain certificates.
You're focused on 'manipulation' of DNS (which is a bit of misnomer), but
because you're delegating control of the IP to Cloudflare, they can just obtain
a certificate that way.
And the CA (Comodo) informed about it, and not at least requesting a statement
from Cloudflare, means they support this, from my point of view, wrong behavior.
As it seems the only thing that can be done is move to a different DNS
provider!! Still, this is a vialation of trust!!!
If you feel that way, it may suggest Cloudflare may not be the right DNS
provider for you. As you note, however, it's not an issue for the CA - it's a
fully permitted and specified method - so if there's issue, this may not be the
right forum for that.
The only thing that might be a CA / BR issue would be this:
What is the expected behaviour of a CA when they become aware that
someone is using illicit/dubious methods to pass an otherwise correct
application of BR and CPS mandated checks?
As an extreme example, imagine the Hollywood movie scenario where
someone goes into a bank with guns and hoods, and then while they are
in there robbing the cash, they also use their control of the banks
buildings and equipment to obtain an EV certificate that passes all the
usual checks because the Banks CEO had a machine gun at his head when
confirming the request etc. etc. If the CA learns from the news that
the bank had been completely under siege on those days, should they
revoke the certificate as quickly as possible, or should they wait for
the (now dead) bank CEO to ask for revocation using the account
password he never had?
Note that I am not saying that CloudFlare's actions are illicit or that
the allegations are in any way comparable to armed robbery. Only that
the CA operational principle in question might be the same.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
