[cabfpub] Draft CAA motion

Gervase Markham gerv at mozilla.org
Thu Nov 10 10:44:10 UTC 2016

On 09/11/16 18:04, Doug Beattie via Public wrote:
> I’d be OK with doing a CAA check at the time the contract is signed if
> that helps.   The case is really the one Jeremy mentioned where the same
> customer needs to issue millions/thousands of certificates to the same
> domain (different FQDNs) and a well-defined contractual relationship
> exists. 

If they are to the same domain, a name-constrained intermediate would
solve the problem, as I plan to take up Jeremy's suggestion of allowing
them to be (optionally, if specified in contract) excluded from CAA checks.


More information about the Public mailing list