benburkert 3 days ago

We theoretically could, but those certificates would show up in CT logs. (For quick & easy monitoring, you can get an RSS feed for your domain on https://crt.sh/, but it's not the most reliable service.) It would be a reputation killer if we did that, just like it would be for your DNS provider or ISP.

Reply View 3 replies
  • masfuerte 3 days ago

    Right, but if you want people to trust you, you need to be open about what people are trusting you with. Your original answer seemed obfuscatory.

    Reply View 2 replies
    • benburkert 3 days ago

      Sorry, not trying to obfuscate anything, hopefully this clarifies: users trust us to hold their ACME account key and we only ask for DNS records prefixed with `_acme-challenge.` to be CNAME delegated.

      With this we could issue or revoke a new certificate, but we couldn't impersonate them because we don't control the rest of their DNS.

      Reply View 1 reply
      • dogleash 3 days ago

        > we couldn't impersonate them because we don't control the rest of their DNS.

        If that were true, nobody would need signed certificates in the first place.

        Reply View 0 replies
nbadg 3 days ago

Certificate transparency logs are likely the only realistic way, but you could make the same argument against your DNS provider. Trust has to start somewhere.

Whether or not something like this makes sense to you is probably a question of your personal threat model.

Reply View 1 reply
  • weddpros 3 days ago

    Seeing how people are worried about third parties issuing certificates, I encourage using a tool to monitor CT Logs. It really makes the fog of war disappear around your certificates.

    https://crt.sh for point in time checks, https://sslboard.com for comprehensive oversight (disclosure: I'm the founder)

    Reply View 0 replies