On Thu, 1 Mar 2018 10:51:04 +0000 Ben Laurie via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Seems to me that signing something that has nothing to do with certs > is a safer option - e.g. sign random string+Subject DN. That does sounds sane, I confess I have not spent much time playing with easily available tools to check what is or is not easily possible on each platform in terms of producing and checking such proofs. I knew that you can make a CSR on popular platforms, and I knew how to check a CSR is valid and a bogus CSR seemed obviously harmless to me. I feel sure I saw someone's carefully thought through procedure for proving control over a private key written up properly for close to this sort of situation but I have tried and failed to find it again since the incident was first reported, and apparently Jeremy didn't know it either. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy