On Mon, Mar 23, 2020 at 2:43 PM Bruce via dev-security-policy < [email protected]> wrote:
> On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > > > 1. *Are* there explicit prohibitions on issuing a certificate for a > private > > key which has been previously submitted *to that CA* as compromised > > (assuming, of course, that the prior submission was valid), and I'm > just > > not good at finding said prohibitions? > > > BR 6.1.1.3 has a weak key clause, "The CA SHALL reject a certificate > request if the requested Public Key does not meet the requirements set > forth in Sections 6.1.5 and 6.1.6 or if it has a known weak Private Key > (such as a Debian weak key, see http://wiki.debian.org/SSLkeys)." > > I would think that "issuing a certificate for a private key which has been > previously submitted *to that CA* as compromised" is not in the spirit of > the weak key clause. It would be best if the CA would blacklist the public > key to prevent future issuance for the compromised private key. > Yeah, https://github.com/cabforum/documents/issues/171 is filed to track this. I've held off preparing a CA/Browser Forum ballot so that we can make sure to address the issue(s) holistically here, as we see the incidents coming in. (Sorry for the double post, from the right address this time) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
