Stumbled on this Ars article this morning about Cloudflare’s upcoming free multipath check service for CAs. Curious what the community thinks about it.
On the one hand, I like the idea of hardening the domain validation process from another attack vector. But it will also add complexity from the CA side and a single (though large) point of failure unless additional large companies provide a similar service.
The article mentions wanting the CAB to eventually make multipath checking mandatory. I don’t really follow CAB discussions. Has there been any preliminary rumbling about it?
The actual DCV would not (and I believe cannot, according to the CAB requirements) rely on a check like this – multipoint validation would have to be performed by CA-controlled infrastructure. But I don’t see why a CA would be forbidden from using such a service as an (optional) check.
But yes, as you say: it does mean such a CA would have to accept the possibility of service unavailability and then decide how to handle that:
Issue the cert anyway if official validation succeeded, rendering the service mostly useless
Not issue the cert, and tolerate potentially more downtime
Both are not awesome, unfortunately. One possible way to improve the second option is to have multiple CDNs offer this service and then integrate with all of them, but that’s still not ideal.