On Mon, Feb 4, 2019 at 10:46 AM Matthias van de Meent via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Hi, > > Today we've bought a wildcard certificate [0] for our cofano.io domain > from Sectigo (previously ComodoCA) via a reseller. Our CAA policy > describes that only "comodoca.com" can issue wildcards. The > certificate has been issued and signed by Sectigo's 'new' intermediate > and root [1] [2]. > > My question is the following: Was Sectigo allowed to sign the > certificate using their Sectigo (not ComodoCA) keys, while my CAA > record specifies 'issuewild "comodoca.com"'? Yes > I.E. How should a CA name > change be reflected in ( CAA ) conformance? Especially since the > Sectigo CPS [3] still only specifies Comodo as their issuer name, > which conflicts with the CN/O of the signing certificate [1]. > There's zero requirement about any such mapping. The Baseline Requirements, Section 2.2, requires that CAs disclose their policies and respected domains for their CAA policy. Section 3.2.2.8 places more requirements, largely around the processing/validation model. To the question of domain names is not touched. Thus, a CA can disclose in their CP/CPS many domains, including those of affiliated or non-affiliated CAs. Provided that this is disclosed in their CP/CPS, and their exception process is clearly documented for domains not in that enumerated list, then they're complying. Sectigo's CP/CPS discloses that they'll issue for comodoca.com (4.2 of their CPS - https://sectigo.com/uploads/files/Comodo-CA-CPS-4-2.pdf ; section 4.2.4), therefore they've met the requirements. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy