[cabf_validation] Method 7, when the CA is involved

Doug Beattie doug.beattie at globalsign.com
Wed Jan 5 18:46:35 UTC 2022


Ok, that’s good to know.  I assumed that the end customer had access to their keys and thus were the subscriber, but that was a poor assumption.  I did just find this statement:

*	You cannot download the private key for an ACM certificate.

 

Doug

 

From: Ryan Sleevi <sleevi at google.com> 
Sent: Wednesday, January 5, 2022 1:33 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: CA/Browser Forum Validation SC List <validation at cabforum.org>; Tim Hollebeek <tim.hollebeek at digicert.com>
Subject: Re: [cabf_validation] Method 7, when the CA is involved

 

 

 

On Wed, Jan 5, 2022 at 1:27 PM Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

Hey Ryan,

 

I’d be interested in your opinion on the Amazon AWS process.  While they are not a CA, they aren’t the subscriber either and they facilitate automated domain validation much like Tim outlined below.

 

https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

 

Should this also be prohibited?

 

Actually, Amazon (AWS) makes it explicit that they are the Subscriber/Applicant, IIRC. AWS is obtaining certificates not from ATS, but from DigiCert, and AWS executes the Subscriber Agreement with DigiCert. I believe they may also execute a ToU with ATS (given the Affiliate nature)

 

Notably, AWS does not provide access to the key to their customers as well, precisely because (again, AIUI), the customer is not the Applicant/Subscriber.

 

I'd need to dig through the AWS Service agreement again, or perhaps Trev can chime in with the cite, but IIRC, this was made explicit (in that AWS was the Subscriber, and that the Customer, as Domain representative, was authorizing AWS to become a Subscriber for their domains)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/172e0c38/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8404 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/172e0c38/attachment-0001.p7s>


More information about the Validation mailing list