commit: a9db522851fa9a73045c39951390e61cbec21081
parent ae82d4612a0299c1f6e8d7977439caaee4d548f3
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Mon, 23 Dec 2024 09:05:43 +0100
RejectedCAs: GlobalSign added non-standard DNS TXT records
Diffstat:
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/RejectedCAs.md b/RejectedCAs.md
@@ -1,7 +1,14 @@
# Rejected Certificate Authorities
+
## GlobalSign
-- Appears to still support non-standard verifications
-- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificate
+### Proprietary verification
+
+Even post-ACME, they still support non-standard verifications, in fact in September 2014 they added the non-standard ability to set custom emails via DNS TXT records: <https://support.globalsign.com/ssl/ssl-certificates-life-cycle/using-dns-txt-records-specifying-domain-approver-emails>
+
+### Custom CAs
+
+- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificates.
+
- Cross-signs other CAs, which while interesting for allowing new CA, ultimately means having to trust all the cross-signed CAs
## COMODO