RejectedCAs: GlobalSign added non-standard DNS TXT records - ca-certificates - Unnamed repository; edit this file 'description' to name the repository.

commit: 823748d82807370f515269f1ce6bad68b5945573
parent 6728099b2357995eea7b29edb9e6252f7f9976cb
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Mon, 23 Dec 2024 09:05:43 +0100

RejectedCAs: GlobalSign added non-standard DNS TXT records

Diffstat:
M RejectedCAs.md 14 +++++++++++---

1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/RejectedCAs.md b/RejectedCAs.md
@@ -1,8 +1,16 @@
 # Rejected Certificate Authorities
+
 ## GlobalSign
-- Appears to still support non-standard verifications
-- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificate
+### Proprietary verification
+
+Even post-ACME, they still support non-standard verifications, in fact in September 2014 they added the non-standard ability to set custom emails via DNS TXT records: <https://support.globalsign.com/ssl/ssl-certificates-life-cycle/using-dns-txt-records-specifying-domain-approver-emails>
+
+### Custom CAs
+
+- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificates.
+
 - Cross-signs other CAs, which while interesting for allowing new CA, ultimately means having to trust all the cross-signed CAs
 
 ## ZeroSSL
-- This is a sockpuppet of COMODO which has been involved in numerous controversies: <https://en.wikipedia.org/wiki/Comodo_Cybersecurity>
+
+This is a sockpuppet of COMODO which has been involved in numerous controversies: <https://en.wikipedia.org/wiki/Comodo_Cybersecurity>