[cabf_validation] Method 7, when the CA is involved

Ryan Sleevi sleevi at google.com
Wed Jan 5 18:32:39 UTC 2022

On Wed, Jan 5, 2022 at 1:27 PM Doug Beattie <doug.beattie at globalsign.com>

> Hey Ryan,
> I’d be interested in your opinion on the Amazon AWS process.  While they
> are not a CA, they aren’t the subscriber either and they facilitate
> automated domain validation much like Tim outlined below.
> https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
> Should this also be prohibited?

Actually, Amazon (AWS) makes it explicit that they are the
Subscriber/Applicant, IIRC. AWS is obtaining certificates not from ATS, but
from DigiCert, and AWS executes the Subscriber Agreement with DigiCert. I
believe they may also execute a ToU with ATS (given the Affiliate nature)

Notably, AWS does not provide access to the key to their customers as well,
precisely because (again, AIUI), the customer is not the

I'd need to dig through the AWS Service agreement again, or perhaps Trev
can chime in with the cite, but IIRC, this was made explicit (in that AWS
was the Subscriber, and that the Customer, as Domain representative, was
authorizing AWS to become a Subscriber for their domains)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/7f0e00dd/attachment.html>

More information about the Validation mailing list