Hi Gerhard, I realise you are upset with what Cloudflare has been doing, but having considered the matter, I think the bottom line is that the only reasonable position for Mozilla to take is "issuances which perform a valid domain control check are OK". We can't go policing the terms of service of every cloud provider and ISP.
To take a recent example, one of the issues raised against WoSign was that they had "mis-issued" a cert for alicdn.com. The cert was not requested by alicdn.com's management but by an attacker who had briefly obtained the ability to control content on the domain. But because WoSign had done the appropriate domain control checks, we did not consider this a mistake by WoSign. It therefore follows that if you don't want people issuing certs for your domain, don't give them control over either your DNS, your WHOIS, your server, or the content of your website. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
