On 03/11/16 10:59, Gervase Markham wrote: > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your own cert. So if you want to use Cloudflare but don't want > them obtaining certs for you, join the paying tier.
It is possible to use Cloudflare as a DNS-only provider, without any CDN/reverse proxying functionality. That's what seems to be the issue here - certificates are requested as soon as a domain is added to Cloudflare, even if the CDN functionality is never enabled. I don't think these certificates are mis-issued or that this practice is shady, but I can see how it might surprise a domain owner who is only looking for a DNS provider. This is probably not something that can or should be resolved by the CA/B Forum or Mozilla. Realistically speaking, asking CAs to confirm that the actual domain registrant has authorized the issuance (rather than whoever is operating the DNS for that domain) is not possible in practice for DV. Going overboard with such a requirement carries the risk The only other thing the BRs could ask for is that a subscriber (which would be Cloudflare in this case) has to include language regarding certificate issuance in their ToS if they act on behalf of other domain registrants. However, given that the goal is to avoid surprising the domain registrant, adding yet another section to a typical ToS document is hardly going to change anything. I don't think it's worth optimizing for the "I trust someone to host my entire DNS zone and hold my DNSSEC keys (if you're into that kind of thing) but TLS certificates? Boo!"-use-case. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy