On Thursday, November 3, 2016 at 11:55:15 AM UTC+1, Patrick Figel wrote: > On 03/11/16 10:59, Gervase Markham wrote: > > However, I still don't get why you want to use Cloudflare's SSL > > termination services but are unwilling to allow them to get a > > certificate for your domain name. > > > > AIUI their free tier uses certs they obtain, but if you pay, you can > > provide your own cert. So if you want to use Cloudflare but don't want > > them obtaining certs for you, join the paying tier. > > It is possible to use Cloudflare as a DNS-only provider, without any > CDN/reverse proxying functionality. That's what seems to be the issue > here - certificates are requested as soon as a domain is added to > Cloudflare, even if the CDN functionality is never enabled. > > I don't think these certificates are mis-issued or that this practice is > shady, but I can see how it might surprise a domain owner who is only > looking for a DNS provider. > > This is probably not something that can or should be resolved by the > CA/B Forum or Mozilla. Realistically speaking, asking CAs to confirm > that the actual domain registrant has authorized the issuance (rather > than whoever is operating the DNS for that domain) is not possible in > practice for DV. Going overboard with such a requirement carries the risk > > The only other thing the BRs could ask for is that a subscriber (which > would be Cloudflare in this case) has to include language regarding > certificate issuance in their ToS if they act on behalf of other domain > registrants. However, given that the goal is to avoid surprising the > domain registrant, adding yet another section to a typical ToS document > is hardly going to change anything. > > I don't think it's worth optimizing for the "I trust someone to host my > entire DNS zone and hold my DNSSEC keys (if you're into that kind of > thing) but TLS certificates? Boo!"-use-case.
Sadly, the shady behaviour is not with Comodo but with Cloudflare. As cloudflare does not state anywhere that they issue certificates when SSL and CDN features are explicitly switched off from the beginning. 1. trust issue: Cloudflare issues certificates without asking permission or staing it in TOS or elsewhere. Doing so when in DNS-only mode appears to me illegal. 2. trust issue: Cloudflare modifies the DNS entries to validate without consent of the domain owner or account holder. Again, no mention of it in TOS or anywheer else. So the modification is not permitted in DNS-only mode. As issue 2 is allowing them to validate correctly against the CA validation request (as explained by Comodo) this does not mean the certificates are issues under shady circumstances at this point. But from the moment on when the CA (Comodo) is informed about this shady behavior by multiple domain owners / account owners, Comodo should start acting. Just referring to a valid dns verification is not magically fixing it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
