I'm happy to announce a new tool for inspecting the domain validation practices of CAs:
https://dcv-inspector.com You can use DCV Inspector to determine the vantage points from which the CA sends domain validation requests, and to detect the use of Delegated Third Parties, such as Google Public DNS. It works by creating a unique subdomain for each test. When you request a certificate from a CA for this subdomain, DCV Inspector records all of the DNS queries, HTTP requests, and emails sent to the subdomain, and presents them to you for your inspection. Example test report: https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524 At the moment, DCV Inspector doesn't make any assessment about whether or not the the test results are compliant, but I envision a future version including some automated compliance checks where possible. DCV Inspector is open source and can be self-hosted if desired. Bug reports and feature ideas (especially about possible automated compliance checks) are welcome, either here or at GitHub: https://github.com/SSLMate/dcv-inspector Unfortunately, the majority of CAs are difficult to test because their certificates cost money or are not even offered to the general public. A lot of badness may be flying under the radar as a result, such as the use of public DNS resolvers. Consider https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only detected because the CA offers a free ACME endpoint. There are surely other CAs using public DNS resolvers. I believe it would be extremely beneficial to require CAs to offer some sort of public endpoint for issuing test certificates so that their domain validation practices can be independently verified. A more modest proposal that would also help would be requiring CAs to include a DCV Inspector test report as part of their annual self-assessment. Would love to hear your thoughts about how to improve transparency into domain validation practices! Regards & happy new year, Andrew -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20231231100033.6589c96e45aba5f4a74e53e5%40andrewayer.name.
