[cabfpub] Draft CAA motion

Doug Beattie doug.beattie at globalsign.com
Wed Nov 9 18:04:03 UTC 2016

I’d be OK with doing a CAA check at the time the contract is signed if that helps.   The case is really the one Jeremy mentioned where the same customer needs to issue millions/thousands of certificates to the same domain (different FQDNs) and a well-defined contractual relationship exists.  Is there a way we can comply via policy vs. technical controls?  Of course via documented procedures and auditable.


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, November 9, 2016 12:05 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>; Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: Re: [cabfpub] Draft CAA motion


What would prevent a random person in Google Marketing from executing a contract with Entrust? How would Entrust determine that person is or is not authorized? How would that be normalized across the industry? How would Google signal to Entrust that such a person was not authorized to sign contracts on Google's behalf?

These are all things for which your reply is, ultimately, based on how Entrust does its business, and other CAs may differ in practices or rigor - which is why it is very much the realm of CA policy in how it executes such agreements, and subscribers have no way to prevent CAs from being fooled or signalling that they're making a mistake.

On Wed, Nov 9, 2016 at 8:25 AM, Bruce Morton via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
This doesn't make CAA in the realm of CA policy. This puts certificate issuance in the realm of certificate Subscriber policy, which I think we all respect through our BR and EV documents.


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org<mailto:public-bounces at cabforum.org>] On Behalf Of Gervase Markham via Public
Sent: Wednesday, November 9, 2016 10:12 AM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Cc: Gervase Markham <gerv at mozilla.org<mailto:gerv at mozilla.org>>
Subject: Re: [cabfpub] Draft CAA motion

I'm sorry, but that moves CAA from the realm of enforced site policy to the realm of CA policy, which defeats much of the point. We have discussed this recently on this list, I believe.

Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161109/e0ea4d53/attachment-0003.html>

More information about the Public mailing list