Hi, Today we've bought a wildcard certificate [0] for our cofano.io domain from Sectigo (previously ComodoCA) via a reseller. Our CAA policy describes that only "comodoca.com" can issue wildcards. The certificate has been issued and signed by Sectigo's 'new' intermediate and root [1] [2].
My question is the following: Was Sectigo allowed to sign the certificate using their Sectigo (not ComodoCA) keys, while my CAA record specifies 'issuewild "comodoca.com"'? I.E. How should a CA name change be reflected in ( CAA ) conformance? Especially since the Sectigo CPS [3] still only specifies Comodo as their issuer name, which conflicts with the CN/O of the signing certificate [1]. Thanks in advance, Matthias van de Meent PS. If this is not the correct location for such questions, then please advise on where to ask instead. My basic knowledge is just that - basic - and only got me so far. I have searched the archives of this mailing list for 'CA name change' and 'Sectigo', which both resulted in no relevant results for this question. [0] https://crt.sh/?id=1169278151 [1] https://crt.sh/?caid=105493 [2] https://crt.sh/?caid=1167 [3] https://sectigo.com/legal _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy