undefined | Better HN

0 pointsmichaelt4mo ago0 comments

Imagine if, hypothetically speaking, the CA had given you a certificate based on a DNS-01 challenge, but when generating and validating the challenge record they'd forgotten to prefix it with an underscore. Which could have lead to a a certificate being issued to the wrong person if your website was a service like dyndns that lets users create custom subdomains.

Except (a) your website doesn't let users create custom subdomains; (b) as the certificate is now in use, you the certificate holder have demonstrated control over the web server as surely as a HTTP-01 challenge would; (c) you have accounts and contracts and payment information all confirming you are who you say you are; and (d) there is no suggestion whatsoever that the certificate was issued to the wrong person.

And you could have gotten a certificate for free from Lets Encrypt, if you had automatic certificate rotation in place - you paid $500 for a 12-month certificate because you don't.

An organisation with common sense policies might not need to revoke such a certificate at all, let alone revoke it with only hours of notice.

0 comments

Dylan168074mo ago

You didn't answer my question. What would the CA fixing it look like? Your hosting example had the company fix problems, not ignore them.

And have you seen how many actual security problems CAs have refused to revoke in the last few years? Holding them to their agreements is important, even if a specific mistake isn't a security problem [for specific clients]. Letting them haggle over the security impact of every mistake is much more hassle than it's worth.

> if you had automatic certificate rotation in place - you paid $500 for a 12-month certificate because you don't

Then in this hypothetical I made a mistake and I should fix it for next time.

And I should be pretty mad at my CA for giving me an invalid certificate. Was there an SLA?

j / k navigate · click thread line to collapse