[cabfpub] Draft CAA motion
sleevi at google.com
Wed Nov 9 17:04:31 UTC 2016
What would prevent a random person in Google Marketing from executing a
contract with Entrust? How would Entrust determine that person is or is not
authorized? How would that be normalized across the industry? How would
Google signal to Entrust that such a person was not authorized to sign
contracts on Google's behalf?
These are all things for which your reply is, ultimately, based on how
Entrust does its business, and other CAs may differ in practices or rigor -
which is why it is very much the realm of CA policy in how it executes such
agreements, and subscribers have no way to prevent CAs from being fooled or
signalling that they're making a mistake.
On Wed, Nov 9, 2016 at 8:25 AM, Bruce Morton via Public <public at cabforum.org
> This doesn't make CAA in the realm of CA policy. This puts certificate
> issuance in the realm of certificate Subscriber policy, which I think we
> all respect through our BR and EV documents.
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
> Markham via Public
> Sent: Wednesday, November 9, 2016 10:12 AM
> To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> Cc: Gervase Markham <gerv at mozilla.org>
> Subject: Re: [cabfpub] Draft CAA motion
> I'm sorry, but that moves CAA from the realm of enforced site policy to
> the realm of CA policy, which defeats much of the point. We have discussed
> this recently on this list, I believe.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public