On 03/11/16 12:13, Han Yuwei wrote: > 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道: >> On 03/11/16 09:59, Gervase Markham wrote: >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: >>>> Befor I contacted this group, I contacted Cloudflare and asked them >>>> to stop creating certificates with my domain. The answer in short >>>> was, ... they cannot change it and as long as I am using there >>>> service, they will continue. >>> >>> How would you expect the service to work without them doing that? >>> >>>> I also contacted Comodo as the CA and asked them. The answer was >>>> different but also not helping. In short, ... I can use a CAA DNS >>>> record (not supported by many DNS providers like Cloudflare) to avoid >>>> it in the future. But in the next sentence telling me that those >>>> records are not honoured by many CA's. >>> >>> Hopefully this will change before too long. >>> >>> However, I still don't get why you want to use Cloudflare's SSL >>> termination services but are unwilling to allow them to get a >>> certificate for your domain name. >>> >>> AIUI their free tier uses certs they obtain, but if you pay, you can >>> provide your own cert. So if you want to use Cloudflare but don't want >>> them obtaining certs for you, join the paying tier. >> >> In my experience, joining Cloudflare's paying tier doesn't guarantee >> that Cloudflare won't also obtain a free cert. >> >> A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying >> tier from the start, and we uploaded an EV cert straight away. I was >> surprised when https://crt.sh/atom?q=crt.sh alerted me to >> https://crt.sh/?id=42619974 >> >> -- >> Rob Stradling >> Senior Research & Development Scientist >> COMODO - Creating Trust Online > > So it is impossible to request a revocation even I do refuse to let > Cloudflare issue the certificate of my domain and keep using Cloudflare's DNS > service under these rules(CA/B BR and COMODO CPS)?
Comodo does check CAA records, so you could add a CAA record for your domain that doesn't permit Comodo to issue. This won't stop Cloudflare from requesting a free cert, but it should block the issuance of any requested cert. (Note however that our CAA checks fail open if there's an error with the CAA DNS lookup). -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
