I'm happy to announce a new tool for inspecting the domain validation
practices of CAs:
https://dcv-inspector.com
You can use DCV Inspector to determine the vantage points from which the
CA sends domain validation requests, and to detect the use of Delegated
Third Parties, such as Google Public DNS. It works by creating a unique
subdomain for each test. When you request a certificate from a
CA for this subdomain, DCV Inspector records all of the DNS queries,
HTTP requests, and emails sent to the subdomain, and presents them
to you for your inspection.
Example test report:
https://dcv-inspector.com/test/46e4bd9d8faef1d36bab7a9eff7b9524
At the moment, DCV Inspector doesn't make any assessment about whether
or not the the test results are compliant, but I envision a future
version including some automated compliance checks where possible.
DCV Inspector is open source and can be self-hosted if desired.
Bug reports and feature ideas (especially about possible automated
compliance checks) are welcome, either here or at GitHub:
https://github.com/SSLMate/dcv-inspector
Unfortunately, the majority of CAs are difficult to test because
their certificates cost money or are not even offered to the
general public. A lot of badness may be flying under the radar
as a result, such as the use of public DNS resolvers. Consider
https://bugzilla.mozilla.org/show_bug.cgi?id=1872371 which was only
detected because the CA offers a free ACME endpoint. There are surely
other CAs using public DNS resolvers.
I believe it would be extremely beneficial to require CAs to offer some
sort of public endpoint for issuing test certificates so that their
domain validation practices can be independently verified. A more
modest proposal that would also help would be requiring CAs to include
a DCV Inspector test report as part of their annual self-assessment.
Would love to hear your thoughts about how to improve transparency into
domain validation practices!
Regards & happy new year,
Andrew