On Sat, 16 May 2020 14:02:42 +0200
Kurt Roeckx via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:

> https://crt.sh/?id=1902422627
> It's a certificate for api.pillowz.kz with the public key of Let's
> Encrypt Authority X1 and X3 CAs.
> It's revoked since 2020-01-31, but I couldn't find any incident
> report related to it.

Hi Kurt,

It's not obvious what's non-compliant about this certificate - could you
explain?  Note that there is no requirement or security need for CAs to
validate proof of possession of a private key.  Therefore, it's
entirely acceptable for a subscriber to request a certificate for
someone else's public key, although the certificate would be useless to

dev-security-policy mailing list

Reply via email to