On Thursday, November 3, 2016 at 11:23:18 PM UTC+1, Matt Palmer wrote: > On Thu, Nov 03, 2016 at 02:08:04PM -0700, gerhard.tin...@gmail.com wrote: > > Sadly, the shady behaviour is not with Comodo but with Cloudflare. As > > cloudflare does not state anywhere that they issue certificates when SSL > > and CDN features are explicitly switched off from the beginning. > > They do state it: in a blog post from 2014. They appear to believe this is > sufficient notice.
Well a blog post is not a TOS or a security policy. But maybe in some far away country it is accepted. Any way, can you send me the link to that post?? > > > 1. trust issue: Cloudflare issues certificates without asking permission > > or staing it in TOS or elsewhere. Doing so when in DNS-only mode appears > > to me illegal. > > Illegal? In which jurisdiction(s)? Well, If you buy a VPS and the provider creates a certificate by validating by adding content to your webserver, ... we would agree that this is wrong, right? But when I get a service to host MY DNS entries, it is fine if the provider manipulates them without my knowledge? ... But I have noticed that in some countries the understanding of legal and iligal is different. Sad. > > > 2. trust issue: Cloudflare modifies the DNS entries to validate without > > consent of the domain owner or account holder. Again, no mention of it in > > TOS or anywheer else. So the modification is not permitted in DNS-only > > mode. > > So go tell Cloudflare. Take your business elsewhere. I understand, go and just lieve with a certificate that is issued without my permission. It seems that CT is useless if there are no actions are taken from wrong behaviour. > > There is no need to keep banging on about it on this list. Everyone here > knows what Cloudflare is doing, they have their opinion of it, and as a > group this list can do nothing about it. > > > But from the moment on when the CA (Comodo) is informed about this shady > > behavior by multiple domain owners / account owners, Comodo should start > > acting. > > As the Wikipedians say: "Citation Needed". > > - Matt Still sad that wrong behaviour of companies that trick CAs into issuing certificates is protected by "go away!" comments. I would have expected more. And as this thread shows, I am not alone. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy