[cabfpub] Draft CAA motion (2)

Steve Medin Steve_Medin at symantec.com
Mon Nov 14 16:55:35 UTC 2016


Such whitelists already exist across many CAs, and even those who handle few 
long term or high volume relationships have automation or tools to assist 
their people with finding prior validations performed within 13 or 39 months 
that carry equal weight to a whitelisted domain in a managed services account.

The idea of this and only this work to validate a domain for 13 or 39 months 
and then rely on it for an undetermined number of certificates is indeed a 
heavy decision we've all been making for years.

> -----Original Message-----
> From: Gervase Markham [mailto:gerv at mozilla.org]
> Sent: Friday, November 11, 2016 6:20 AM
> To: Steve Medin <Steve_Medin at symantec.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> Subject: Re: [cabfpub] Draft CAA motion (2)
>
> On 10/11/16 18:29, Steve Medin wrote:
> > Well, that depends on the validity of a contract from the customer
> > that absolves the CA from the requirement to check CAA within their
> service.
>
> The failure case I was thinking of is if a domain they shouldn't actually 
> get
> certs for ends up on their whitelist. You'd have to be pretty confident that
> could never, ever happen.
>
> Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5744 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161114/5d1967ff/attachment-0001.p7s>


More information about the Public mailing list