On Wed, Nov 02, 2016 at 09:50:41PM -0700, Han Yuwei wrote:
> 在 2016年9月10日星期六 UTC+8下午8:37:40,Han Yuwei写道:
> > I am using Cloudflare's DNS service and I found that Cloudflare has issued
> > a certficate to their server including my domain. But I didn't use any SSL
> > service of theirs. Is that ok
在 2016年9月10日星期六 UTC+8下午8:37:40,Han Yuwei写道:
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued certificate:https://crt.sh/?id=312
On Tue, Nov 01, 2016 at 01:23:30PM -0700, gerhard.tin...@gmail.com wrote:
> > Since you delegated your DNS server to Cloudflare, you implicitly allowed
> > them to perform this certificate request on your behalf.
>
> This is where I strongly disagree! I have checked the TOS and Security
> policy,
On Wed, Nov 02, 2016 at 03:44:16PM +0100, Jakob Bohm wrote:
> What is the expected behaviour of a CA when they become aware that
> someone is using illicit/dubious methods to pass an otherwise correct
> application of BR and CPS mandated checks?
The "fraud or misuse" reason for revocation would be
It depends. If a CA just hands out a cert to anyone who manipulates DNS, that's
one thing. If a CA (such as Comodo) has a formal agreement with another party
(such as CloudFlare) to facilitate the issuance of certs, I think that's quite
another. The former has all sorts of problems and I'm not
On 11/02/2016 11:38 PM, Peter Kurrasch wrote:
> This raises an interesting point and I'd be interested in any comments
> that Comodo or other CA's might have.
>
It really seems like a matter of discussion for the terms of agreement
and interaction between the user and service provider, and not a
This raises an interesting point and I'd be interested in any comments that Comodo or other CA's might have.It appears we have a situation where a cert is being issued to what is presumably an authorized party ye
Tom Ritter writes:
>There's been (some) mention that even if a user moves off Cloudflare, the CA
>is not obligated to revoke.
Would it matter? I guess it depends on circumstances (whether you control the
private key or Cloudflare does, whether you intend to use the same domain
elsewhere or not,
On Wed, Nov 2, 2016 at 9:38 AM, Jakob Bohm wrote:
> On 02/11/2016 17:08, Peter Bowen wrote:
>>
>> On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
>>>
>>> On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that might be a CA / BR issue would be this:
>>>
>>>
>>> There's bee
Per Bugzilla Bug #1314464 we are adding the "SecureSign Public CA11"
intermediate CA cert to OneCRL as a precautionary measure.
Here's some background on this...
The JCSI Root CA (SecureSign RootCA11) was acquired by Cybertrust Japan(CTJ) in
August 2014.
The current WebTrust CA audit statement
On 02/11/16 16:01, Nick Lamb wrote:
> Maybe this can to some extent be fixed, but there are many other ways
> in which DNS names now have a footprint that extends beyond the life
> of the domain registration. Cookies and HSTS rules, spam blocks,
> Google search karma, and so on. So arguably buying
Agreed, I'd support a requirement that mandated revocation of a certificate
using the domain validation processes supported by the CA in issuance. If you
can prove control enough to get a certificate from the CA, then you are able
to prove control enough to revoke a certificate.
-Original M
On 2 November 2016 at 11:24, Jeremy Rowley wrote:
> Revocation support for non-subscribers is sort of implied...sort of:
>
> Section 4.9.3:
> The CA SHALL provide Subscribers, Relying Parties, Application Software
> Suppliers, and other third parties with
> clear instructions for reporting suspec
On 02/11/2016 17:08, Peter Bowen wrote:
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obligated
On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote:
> Hi Daniel,
>
> On 02/11/16 14:11, Itzhak Daniel wrote:
> As far as the DigiCert certs go, it is far too early to have an opinion
> on what Mozilla is or isn't doing.
I have to agree, the time span is too short (at least
Revocation support for non-subscribers is sort of implied...sort of:
Section 4.9.3:
The CA SHALL provide Subscribers, Relying Parties, Application Software
Suppliers, and other third parties with
clear instructions for reporting suspected Private Key Compromise, Certificate
misuse, or other type
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
> On 2 November 2016 at 09:44, Jakob Bohm wrote:
>> The only thing that might be a CA / BR issue would be this:
>
> There's been (some) mention that even if a user moves off Cloudflare,
> the CA is not obligated to revoke. I don't agree with that
On Wednesday, 2 November 2016 15:26:37 UTC, Tom Ritter wrote:
> There's been (some) mention that even if a user moves off Cloudflare,
> the CA is not obligated to revoke. I don't agree with that. If a user
> purchased a domain from someone (or bought a recently expired domain)
> and a TLS certifi
On 2 November 2016 at 09:44, Jakob Bohm wrote:
> The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obligated to revoke. I don't agree with that. If a user
purchased a domain from someone (or bought a re
Hi Daniel,
On 02/11/16 14:11, Itzhak Daniel wrote:
> Interesting that Comodo and DigiCert are getting a different
> treatment,
As far as the DigiCert certs go, it is far too early to have an opinion
on what Mozilla is or isn't doing. And let us remember, the WoSign
incident involved multiple ins
Hi dracenmarx,
On 02/11/16 12:44, dracenm...@googlemail.com wrote:
> (1) I did find any public answer from Apple, Google or Mozilla in
> regards to the Remediation plan by StartCom. I have the feeling, that
> the sanctions were applied without considering this document. (
> https://www.startssl.co
Interesting that Comodo and DigiCert are getting a different treatment, I
wonder if WoSign/StartCom had ignored Mozilla Security Community at some
degree, the same way Comodo and DigiCert are doing, would it saved them.
(I don't know if there are chatters in the back, maybe I missed something an
On 02/11/2016 15:05, Ryan Sleevi wrote:
On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote:
This is where I strongly disagree! I have checked the TOS and Security policy,
... etc. There is nowhere stated that Cloudflare is allowed without the Users
knowledge to mani
On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote:
> This is where I strongly disagree! I have checked the TOS and Security
> policy, ... etc. There is nowhere stated that Cloudflare is allowed without
> the Users knowledge to manipulate there DNS settings. That sad,
On 02/11/2016 13:44, dracenm...@googlemail.com wrote:
I think that the steps against StartCom are too extreme and I would like to
tell my personal opinion. First of all, I want to say that I don't have any
benefits when I tell this opinion, since I personally already switched to a
different CA
I think that the steps against StartCom are too extreme and I would like to
tell my personal opinion. First of all, I want to say that I don't have any
benefits when I tell this opinion, since I personally already switched to a
different CA.
(1) I did find any public answer from Apple, Google o
Hi,
>
> Since you delegated your DNS server to Cloudflare, you implicitly allowed
> them to perform this certificate request on your behalf.
>
>
This is where I strongly disagree! I have checked the TOS and Security policy,
... etc. There is nowhere stated that Cloudflare is allowed without
27 matches
Mail list logo