This is misleading, as noted by @sleevi_. Sub-CAs are still operated by DigiCert; desirable restrictions could be set as CAA params (provided the CA supports them).
My general take away is: CAA records don’t work the way you (well, I) thought. (But see thread below.)https://twitter.com/jschauma/status/1144289721595650048 …
ISTM the problem isn't that CAA doesn't work as expected, but that the certificate issuer field doesn't work as expected - it often lists an org besides the one that issued the certificate. If monitoring tools displayed the true issuer instead, would you have been less confused?
3:20 PM - 27 Jun 2019
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.