[cabfpub] Draft CAA motion (2)

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Nov 17 17:02:09 UTC 2016

No. The exception is to allow a customer with an enterprise relationship with one CA not to have a CAA hard fail. If the customer does not have an enterprise relationship with the other CAs, then this exception does not apply.

An attacker cannot set up an enterprise relationship as their verification will fail.

Please note that we have over 15 years' experience in setting up enterprise relationships with Subscribers with an exceptional success rate.


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Thursday, November 17, 2016 11:07 AM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Doug Beattie <doug.beattie at globalsign.com>; Peter Bowen <pzb at amzn.com>
Subject: Re: [cabfpub] Draft CAA motion (2)

On 17/11/16 15:56, Bruce Morton wrote:
> [BM] To avoid a relationship with an attacker the CA could have an 
> "enterprise" relationship with the Subscriber.

So if I'm a big corporation, I need to have enterprise relationships with every CA, to prevent an attacker setting up a relationship with that CA and pretending to be me?


More information about the Public mailing list