On Wednesday, November 2, 2016 at 11:39:09 PM UTC+1, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments that > Comodo or other CA's might have. > > > It appears we have a situation where a cert is being issued to what is > presumably an authorized party yet that party is not actually authorized by > the subscriber. How does Comodo or any other CA validate that a "domain > manipulator" has been and continues to be authorized by the actual domain > registrant? Is any attestation provided by a party (such as CloudFlare) that > they have authorization by their own clients to do whatever they are doing? > > > It's in the interest of CA's to have some well thought-out plans here > because I think we know who is getting the blame when the system breaks down. > I don't think it would sit well if a CA were to come here and say "you can't > blame us for the misissuance because we will give CloudFlare any cert they > want." > > > > > > > > > > From: gerhard...@gmail.com > Sent: Wednesday, November 2, 2016 4:16 AM > To: mozilla-dev-s...@lists.mozilla.org > Subject: Re: Cerificate Concern about Cloudflare's DNS > > > Hi, > > > > > Since you delegated your DNS server to Cloudflare, you implicitly allowed > > them to perform this certificate request on your behalf. > > > > > This is where I strongly disagree! I have checked the TOS and Security > policy, ... etc. There is nowhere stated that Cloudflare is allowed without > the Users knowledge to manipulate there DNS settings. That sad, there is the > proxy service they offer which is changing the DNS settings. But as you > actively enable it, you are aware. > > By delegating the DNS server to Cloudflare, you entrust Cloudflare to > distribute the User defined DNS settings. To be able to validate for the > certificate, the DNS settings are changed without the users knowledge. No TOS > or any other policy states this. > > Even if that might not be issue for the CA itself (which i do not agree on), > This is definitely braking the trust to its users. > > And the CA (Comodo) informed about it, and not at least requesting a > statement from Cloudflare, means they support this, from my point of view, > wrong behavior. > > > As it seems the only thing that can be done is move to a different DNS > provider!! Still, this is a vialation of trust!!! > > _______________________________________________ > dev-security-policy mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
Thank you. I could not agree more. Befor I contacted this group, I contacted Cloudflare and asked them to stop creating certificates with my domain. The answer in short was, ... they cannot change it and as long as I am using there service, they will continue. I also contacted Comodo as the CA and asked them. The answer was different but also not helping. In short, ... I can use a CAA DNS record (not supported by many DNS providers like Cloudflare) to avoid it in the future. But in the next sentence telling me that those records are not honoured by many CA's. I started reading the TOC and policies of Cloudflare again looking for any clue about this. Nothing. No mention about the certificates that get issued, nothing about the DNS changes, ... Still everybody tells me something like, "Well if Cloudflare is doing it, it must be right. Why do you complain?" It is nice to read a answer like this even if it doe not solve it. :) Thanks! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
