On 03/11/16 10:59, Gervase Markham wrote:
> However, I still don't get why you want to use Cloudflare's SSL
> termination services but are unwilling to allow them to get a
> certificate for your domain name.
> 
> AIUI their free tier uses certs they obtain, but if you pay, you can
> provide your own cert. So if you want to use Cloudflare but don't want
> them obtaining certs for you, join the paying tier.

It is possible to use Cloudflare as a DNS-only provider, without any
CDN/reverse proxying functionality. That's what seems to be the issue
here - certificates are requested as soon as a domain is added to
Cloudflare, even if the CDN functionality is never enabled.

I don't think these certificates are mis-issued or that this practice is
shady, but I can see how it might surprise a domain owner who is only
looking for a DNS provider.

This is probably not something that can or should be resolved by the
CA/B Forum or Mozilla. Realistically speaking, asking CAs to confirm
that the actual domain registrant has authorized the issuance (rather
than whoever is operating the DNS for that domain) is not possible in
practice for DV. Going overboard with such a requirement carries the risk

The only other thing the BRs could ask for is that a subscriber (which
would be Cloudflare in this case) has to include language regarding
certificate issuance in their ToS if they act on behalf of other domain
registrants. However, given that the goal is to avoid surprising the
domain registrant, adding yet another section to a typical ToS document
is hardly going to change anything.

I don't think it's worth optimizing for the "I trust someone to host my
entire DNS zone and hold my DNSSEC keys (if you're into that kind of
thing) but TLS certificates? Boo!"-use-case.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to