logo

ca-certificates

Unnamed repository; edit this file 'description' to name the repository. git clone https://anongit.hacktivis.me/git/ca-certificates.git/
commit: a9db522851fa9a73045c39951390e61cbec21081
parent ae82d4612a0299c1f6e8d7977439caaee4d548f3
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Mon, 23 Dec 2024 09:05:43 +0100

RejectedCAs: GlobalSign added non-standard DNS TXT records

Diffstat:

MRejectedCAs.md11+++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/RejectedCAs.md b/RejectedCAs.md @@ -1,7 +1,14 @@ # Rejected Certificate Authorities + ## GlobalSign -- Appears to still support non-standard verifications -- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificate +### Proprietary verification + +Even post-ACME, they still support non-standard verifications, in fact in September 2014 they added the non-standard ability to set custom emails via DNS TXT records: <https://support.globalsign.com/ssl/ssl-certificates-life-cycle/using-dns-txt-records-specifying-domain-approver-emails> + +### Custom CAs + +- <https://www.globalsign.com/en/custom-ca-private-pki> seems to allow man-in-the-middle ("SSL/TLS Inspection/Decryption") which should only be done with a special non-trusted certificates. + - Cross-signs other CAs, which while interesting for allowing new CA, ultimately means having to trust all the cross-signed CAs ## COMODO