在 2017年11月23日星期四 UTC+8下午8:24:19,Nick Lamb写道: > On Thu, 23 Nov 2017 00:50:04 +0100 > Quirin Scheitle via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > 2) Cloudflare FreeSSL certificates issued by Comodo > > Batch: https://misissued.com/batch/30/ > > Description: We are not aware that Cloudflare and Comodo are > > affiliated, or that Comodo runs the DNS infrastructure of Cloudflare > > customers — so these certificates should be checked like any other? > > My understanding is that Cloudflare CDN (usually? always?) is enabled by > giving Cloudflare control over DNS for the names you want given CDN > treatment, either a CNAME or direct name server control. > > I assume Comodo's arrangement with Cloudflare to permit bulk issuance > is streamlined significantly by this control over DNS and in exchange > Cloudflare gets a very good deal on those certificates, with the > exact details presumably commercially sensitive. It doesn't seem > unlikely that Comodo skip some checks for names that Cloudflare control > in this way. > > > It would be concerning if as a result of the streamlining it is /ever/ > possible for Cloudflare to obtain certificates for names that were not > actually assigned by the above mechanism to Cloudflare, even if this > only happened accidentally - because responsibility for correct issuance > must lie with Comodo, not Cloudflare, any abdication of decision making > power to an untrusted third party can be a Big Problem, just as > we saw with Symantec. > > > It would be less concerning, but still problematic if Cloudflare > allowed a situation to exist in which their customers could use > Cloudflare CDN for a name (so Cloudflare would ask Comodo to > issue certificates for this name) while also setting CAA to forbid > issuance by Comodo for the name, and then get a certificate issued > anyway. This is clearly a violation of the rules as written, and > shouldn't happen, but I'd be comfortable seeing this as basically a > goof, a mismatch between intention and implementation, just needing a > software fix and maybe some better documentation from Cloudflare so > that it doesn't happen again. > > > Can we have a comment from Comodo about this? And if appropriate they > can invite someone technical from Cloudflare to comment too. > > > Nick.
Comodo will check CAA before issurance even domain in Cloudflare. I asked it before (https://groups.google.com/d/msg/mozilla.dev.security.policy/rFyPQ0o7RMM/bBhqXEV8BQAJ). So I think Comodo should give a comment about this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy