On Thursday, November 3, 2016 at 1:23:48 PM UTC+1, Rob Stradling wrote: > On 03/11/16 12:13, Han Yuwei wrote: > > 在 2016年11月3日星期四 UTC+8下午7:09:48,Rob Stradling写道: > >> On 03/11/16 09:59, Gervase Markham wrote: > >>> On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: > >>>> Befor I contacted this group, I contacted Cloudflare and asked them > >>>> to stop creating certificates with my domain. The answer in short > >>>> was, ... they cannot change it and as long as I am using there > >>>> service, they will continue. > >>> > >>> How would you expect the service to work without them doing that? > >>> > >>>> I also contacted Comodo as the CA and asked them. The answer was > >>>> different but also not helping. In short, ... I can use a CAA DNS > >>>> record (not supported by many DNS providers like Cloudflare) to avoid > >>>> it in the future. But in the next sentence telling me that those > >>>> records are not honoured by many CA's. > >>> > >>> Hopefully this will change before too long. > >>> > >>> However, I still don't get why you want to use Cloudflare's SSL > >>> termination services but are unwilling to allow them to get a > >>> certificate for your domain name. > >>> > >>> AIUI their free tier uses certs they obtain, but if you pay, you can > >>> provide your own cert. So if you want to use Cloudflare but don't want > >>> them obtaining certs for you, join the paying tier. > >> > >> In my experience, joining Cloudflare's paying tier doesn't guarantee > >> that Cloudflare won't also obtain a free cert. > >> > >> A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying > >> tier from the start, and we uploaded an EV cert straight away. I was > >> surprised when https://crt.sh/atom?q=crt.sh alerted me to > >> https://crt.sh/?id=42619974 > >> > >> -- > >> Rob Stradling > >> Senior Research & Development Scientist > >> COMODO - Creating Trust Online > > > > So it is impossible to request a revocation even I do refuse to let > > Cloudflare issue the certificate of my domain and keep using Cloudflare's > > DNS service under these rules(CA/B BR and COMODO CPS)? > > Comodo does check CAA records, so you could add a CAA record for your > domain that doesn't permit Comodo to issue. This won't stop Cloudflare > from requesting a free cert, but it should block the issuance of any > requested cert. (Note however that our CAA checks fail open if there's > an error with the CAA DNS lookup). > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online
This seems to be the standard answer from Comodo. Conveniently Cloudflare does not support CAA records. So this suggestion is not helping with Cloudflare. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy