Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 02, 2016 at 09:50:41PM -0700, Han Yuwei wrote: > 在 2016年9月10日星期六 UTC+8下午8:37:40，Han Yuwei写道： > > I am using Cloudflare's DNS service and I found that Cloudflare has issued > > a certficate to their server including my domain. But I didn't use any SSL > > service of theirs. Is that ok

Re: Cerificate Concern about Cloudflare's DNS

在 2016年9月10日星期六 UTC+8下午8:37:40，Han Yuwei写道： > I am using Cloudflare's DNS service and I found that Cloudflare has issued a > certficate to their server including my domain. But I didn't use any SSL > service of theirs. Is that ok to Mozilla's policy? > > Issued

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 02, 2016 at 03:44:16PM +0100, Jakob Bohm wrote: > What is the expected behaviour of a CA when they become aware that > someone is using illicit/dubious methods to pass an otherwise correct > application of BR and CPS mandated checks? The "fraud or misuse" reason for revocation would

Re: Cerificate Concern about Cloudflare's DNS

It depends. If a CA just hands out a cert to anyone who manipulates DNS, that's one thing. If a CA (such as Comodo) has a formal agreement‎ with another party (such as CloudFlare) to facilitate the issuance of certs, I think that's quite another. The former has all sorts of problems and I'm not

Re: Cerificate Concern about Cloudflare's DNS

On 11/02/2016 11:38 PM, Peter Kurrasch wrote: > This raises an interesting point and I'd be interested in any comments > ‎that Comodo or other CA's might have. > It really seems like a matter of discussion for the terms of agreement and interaction between the user and service provider, and not

Re: Cerificate Concern about Cloudflare's DNS

This raises an interesting point and I'd be interested in any comments ‎that Comodo or other CA's might have.It appears we have a situation where a cert is being issued to what is presumably an authorized party

Re: [FORGED] Re: Cerificate Concern about Cloudflare's DNS

Tom Ritter writes: >There's been (some) mention that even if a user moves off Cloudflare, the CA >is not obligated to revoke. Would it matter? I guess it depends on circumstances (whether you control the private key or Cloudflare does, whether you intend to use the same domain

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 2, 2016 at 9:38 AM, Jakob Bohm wrote: > On 02/11/2016 17:08, Peter Bowen wrote: >> >> On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: >>> >>> On 2 November 2016 at 09:44, Jakob Bohm wrote: The only thing that

Adding "SecureSign Public CA11" intermediate CA cert to OneCRL

Per Bugzilla Bug #1314464 we are adding the "SecureSign Public CA11" intermediate CA cert to OneCRL as a precautionary measure. Here's some background on this... The JCSI Root CA (SecureSign RootCA11) was acquired by Cybertrust Japan(CTJ) in August 2014. The current WebTrust CA audit

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/16 16:01, Nick Lamb wrote: > Maybe this can to some extent be fixed, but there are many other ways > in which DNS names now have a footprint that extends beyond the life > of the domain registration. Cookies and HSTS rules, spam blocks, > Google search karma, and so on. So arguably buying

RE: Cerificate Concern about Cloudflare's DNS

Agreed, I'd support a requirement that mandated revocation of a certificate using the domain validation processes supported by the CA in issuance. If you can prove control enough to get a certificate from the CA, then you are able to prove control enough to revoke a certificate. -Original

Re: Cerificate Concern about Cloudflare's DNS

On 2 November 2016 at 11:24, Jeremy Rowley wrote: > Revocation support for non-subscribers is sort of implied...sort of: > > Section 4.9.3: > The CA SHALL provide Subscribers, Relying Parties, Application Software > Suppliers, and other third parties with > clear

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/2016 17:08, Peter Bowen wrote: On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: On 2 November 2016 at 09:44, Jakob Bohm wrote: The only thing that might be a CA / BR issue would be this: There's been (some) mention that even if a user moves

Re: Remediation Plan for WoSign and StartCom

On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote: > Hi Daniel, > > On 02/11/16 14:11, Itzhak Daniel wrote: > As far as the DigiCert certs go, it is far too early to have an opinion > on what Mozilla is or isn't doing. I have to agree, the time span is too short (at least

RE: Cerificate Concern about Cloudflare's DNS

Revocation support for non-subscribers is sort of implied...sort of: Section 4.9.3: The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other

Re: Cerificate Concern about Cloudflare's DNS

On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote: > On 2 November 2016 at 09:44, Jakob Bohm wrote: >> The only thing that might be a CA / BR issue would be this: > > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not

Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, 2 November 2016 15:26:37 UTC, Tom Ritter wrote: > There's been (some) mention that even if a user moves off Cloudflare, > the CA is not obligated to revoke. I don't agree with that. If a user > purchased a domain from someone (or bought a recently expired domain) > and a TLS

Re: Cerificate Concern about Cloudflare's DNS

On 2 November 2016 at 09:44, Jakob Bohm wrote: > The only thing that might be a CA / BR issue would be this: There's been (some) mention that even if a user moves off Cloudflare, the CA is not obligated to revoke. I don't agree with that. If a user purchased a domain from

Re: Remediation Plan for WoSign and StartCom

Hi Daniel, On 02/11/16 14:11, Itzhak Daniel wrote: > Interesting that Comodo and DigiCert are getting a different > treatment, As far as the DigiCert certs go, it is far too early to have an opinion on what Mozilla is or isn't doing. And let us remember, the WoSign incident involved multiple

Re: Remediation Plan for WoSign and StartCom

Hi dracenmarx, On 02/11/16 12:44, dracenm...@googlemail.com wrote: > (1) I did find any public answer from Apple, Google or Mozilla in > regards to the Remediation plan by StartCom. I have the feeling, that > the sanctions were applied without considering this document. ( >

Re: Remediation Plan for WoSign and StartCom

Interesting that Comodo and DigiCert are getting a different treatment, I wonder if WoSign/StartCom had ignored Mozilla Security Community at some degree, the same way Comodo and DigiCert are doing, would it saved them. (I don't know if there are chatters in the back, maybe I missed something

Re: Cerificate Concern about Cloudflare's DNS

On 02/11/2016 15:05, Ryan Sleevi wrote: On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote: This is where I strongly disagree! I have checked the TOS and Security policy, ... etc. There is nowhere stated that Cloudflare is allowed without the Users knowledge to

Re: Cerificate Concern about Cloudflare's DNS

On Wednesday, November 2, 2016 at 2:16:34 AM UTC-7, gerhard...@gmail.com wrote: > This is where I strongly disagree! I have checked the TOS and Security > policy, ... etc. There is nowhere stated that Cloudflare is allowed without > the Users knowledge to manipulate there DNS settings. That sad,

Re: Remediation Plan for WoSign and StartCom

I think that the steps against StartCom are too extreme and I would like to tell my personal opinion. First of all, I want to say that I don't have any benefits when I tell this opinion, since I personally already switched to a different CA. (1) I did find any public answer from Apple, Google

Re: Cerificate Concern about Cloudflare's DNS

Hi, > > Since you delegated your DNS server to Cloudflare, you implicitly allowed > them to perform this certificate request on your behalf. > > This is where I strongly disagree! I have checked the TOS and Security policy, ... etc. There is nowhere stated that Cloudflare is allowed without