[cabfpub] Draft CAA motion (2)

Peter Bowen pzb at amzn.com
Fri Nov 11 14:52:06 UTC 2016

> On Nov 11, 2016, at 6:44 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 11/11/16 14:39, Peter Bowen wrote:
>> A small correction.  I do not believe that Amazon (as a domain registrant) has stated that we will use CAA.
> Apologies. I should have said that Amazon have indicated that they had
> some problems which CAA, used in this way and deployed universally,
> would solve. Is that fair? :-)

Amazon had indicated that there are hundreds of publicly trusted certificates which contain FQDNs ending in domain names which Amazon (including affiliates) controls and where the Subscriber is not Amazon or a party authorized to act on Amazon’s behalf.  We believe that the CAs who issued these certificates did so in good faith and that they properly performed validation of control of the FQDN according to the BRs.  I do not believe we have stated that this is a problem.

Amazon would prefer that all authorizations for certificates ending in our domain names go through our internal approval process.  This is different from it being a problem that our customers have requested certificates for FQDNs that they are using.


More information about the Public mailing list