GoDaddy: Does not provide a method for domain owners to revoke their certificates
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: scx32, Assigned: sdeitte)
Details
(Whiteboard: [ca-compliance] [policy-failure] [external])
Steps to reproduce:
GoDaddy CA (formerly Starfield) does not provide a method for domain owners to revoke their certificates.
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
Assignee | |
Comment 1•4 months ago
|
||
(In reply to scx32 from comment #0)
Steps to reproduce:
GoDaddy CA (formerly Starfield) does not provide a method for domain owners to revoke their certificates.
Hello,
We have all options for requesting revocations on any GoDaddy issued certificates defined in our CP/CPS on sections 4.9.2 and 4.9.3. Our CP / CPS can be found at https://certs.godaddy.com/repository/certificate_practices/StarfieldCertificatePolicyandCertificationPracticeStatement.pdf. If you are having any issues requesting revocation for a certificate please contact us via email to practices [at] starfieldtech [dot] com.
Thanks,
Steven
|
||
Comment 3•3 months ago
|
||
Here's the relevant part of https://certs.godaddy.com/repository/certificate_practices/StarfieldCertificatePolicyandCertificationPracticeStatement.pdf:
4.9.3 Procedure for Revocation Request
...
Revocations may be requested:
...
• by anyone who can access appropriate ACME API endpoint and demonstrate control over
all domains in the Subject.
This seems to satisfy the request, but I notice a missing "the" ("who can access the appropriate ACME API endpoint"). And perhaps more importantly: "all domains in the Subject" is probably inaccurate, since the Subject can only ever hold one FQDN. Perhaps subjectAltName was intended?
The RFC 8555 language is this (https://certs.godaddy.com/repository/certificate_practices/StarfieldCertificatePolicyandCertificationPracticeStatement.pdf):
The server MUST consider at least the following accounts authorized
for a given certificate:
...
o an account that holds authorizations for all of the identifiers in
the certificate.
The certs were issued by GoDaddy Hosting for my domain, but it is now no longer on GoDaddy. The problem is that the certificate is shared with other domains that are not mine, so Section 4.9.3 does not apply.
scx32, out of curiosity did you reach out to practices@starfieldtech.com?
GoDaddy: Can you please clarify what you intended to mean in the section of the CPS as pointed out in Comment 3?
I want everyone to know that this is happening: GoDaddy, so that they provide a method for domain owners to revoke their certificates (preferably a web interface and API with DNS and WHOIS/RDAP email validation); users of GoDaddy, so that they can place more scrutiny on GoDaddy; and people who are choosing a hosting provider, so that they may take this into account.
|
|
Assignee | |
Comment 7•3 months ago
|
||
Section 4.9.3 of our CP/CPS provides the mechanism to support properly validated requests to revoke certificates for domain owners in this scenario. We will be reviewing our language in section 4.9.3 and will make improvements to clarify that this scenario is explicitly covered in the future.
Thanks,
Steven
Steven, why are the certs issued by Hosting shared with other completely unrelated websites?
|
|
Assignee | |
Comment 9•3 months ago
|
||
GoDaddy CA issued the SSL certificate based on a validated request. We've talked with the requesting party about implementing best practices to avoid this situation in the future.
|
|
Assignee | |
Comment 11•2 days ago
|
||
Hi Ben,
We are in the process of our annual CP/CPS review and plan to have these updates incorporated into version 5.01 of our CP/CPS. We are targeting March 2025 for publication of that new version.
Thanks,
Steven
Description
•