[cabfpub] CAA Exceptions listed in Ballot 187

Gervase Markham gerv at mozilla.org
Thu May 25 15:58:15 UTC 2017

On 25/05/17 16:43, Doug Beattie via Public wrote:
> I'm not clear on the reference to a contractual provision in the
> contract with the Applicant.  The Applicant is the natural person or
> Legal Entity that applies for a Certificate.    Is the Applicant in
> this case the person applying for the CA certificate or the SSL
> certificate?

It is anticipated that a TCSC will be constrained to domains owned by a
single entity. It is the contract with that entity which is in view.

> I'm not clear what this means: "the CA is the DNS Operator of the
> domain's DNS".  We all run DNS servers in our data centers, and this
> does not state that this must be the Authoritative DNS server, so in
> what cases does this exception apply?  I'm assuming the CA needs to
> "own" the domains in question, but how does that fall out of this
> requirement?

As Ryan says, it means authoritative DNS. Basically, if the CA controls
the authoritative DNS servers, there's not much point in requiring them
to put a message in DNS for themselves to read.


More information about the Public mailing list