[cabfpub] Draft CAA motion
Gervase Markham
gerv at mozilla.org
Thu Nov 10 10:44:10 UTC 2016
On 09/11/16 18:04, Doug Beattie via Public wrote:
> I’d be OK with doing a CAA check at the time the contract is signed if
> that helps. The case is really the one Jeremy mentioned where the same
> customer needs to issue millions/thousands of certificates to the same
> domain (different FQDNs) and a well-defined contractual relationship
> exists.
If they are to the same domain, a name-constrained intermediate would
solve the problem, as I plan to take up Jeremy's suggestion of allowing
them to be (optionally, if specified in contract) excluded from CAA checks.
Gerv
More information about the Public
mailing list