[cabfpub] Draft CAA motion (2)

Gervase Markham gerv at mozilla.org
Fri Nov 18 14:54:00 UTC 2016

On 17/11/16 21:18, Steve Medin wrote:
> TCSCs, when the domain names aren't known, don't scale for customers who add
> brandspace constantly. 

Yes, I understand that. If the list of domain names is changing
constantly, to my mind that's all the more reason to maintain CAA
checks, because it's much easier for mistakes to be made - such as a
domain not owned by the large customer in question making it on to the
list, or them selling one and it not getting taken off.

I think this is the fundamental disconnect. I think that CAA provides a
useful protection for arbitrary domain owners from CA process missteps,
which are just as likely to happen when a big CA with an enterprise
customer is juggling a large and constantly-changing domain list, as
they are in any other issuance scenario. "Just trust us not to screw
this up; we're big" is not good enough.

The only alternative I can see to the current ballot is to remove the
section about "permitted exceptions" entirely and allow CAs to write any
exceptions they like into their CP/CPS, but for Mozilla policy to
specify the exceptions we allow (i.e. the existing list), and say that
anything else is counted by us as a serious misissuance. Then, if you
want to trapeze without a safety net with your enterprise customers, you
could go right ahead.


More information about the Public mailing list