It depends. If a CA just hands out a cert to anyone who manipulates DNS, that's one thing. If a CA (such as Comodo) has a formal agreement with another party (such as CloudFlare) to facilitate the issuance of certs, I think that's quite another. The former has all sorts of problems and I'm not so interested in rehashing them just now.
The latter, however, has not been formally addressed. I can envision scenarios where certs get mis-issued, people blame the CA for having some arrangement with CloudFlare (or whomever), and CA's scramble for cover from the storm that inevitably follows. I think it would be useful to have some ideas in place in advance of any such scenarios. Original Message From: Kristian Fiskerstrand Sent: Wednesday, November 2, 2016 5:41 PM To: Peter Kurrasch; gerhard.tin...@gmail.com; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Cerificate Concern about Cloudflare's DNS On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments > that Comodo or other CA's might have. > It really seems like a matter of discussion for the terms of agreement and interaction between the user and service provider, and not a CA matter. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Aurum est Potestas Gold is power _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
