On Sat, 16 May 2020 14:02:42 +0200 Kurt Roeckx via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> https://crt.sh/?id=1902422627 > > It's a certificate for api.pillowz.kz with the public key of Let's > Encrypt Authority X1 and X3 CAs. > > It's revoked since 2020-01-31, but I couldn't find any incident > report related to it. Hi Kurt, It's not obvious what's non-compliant about this certificate - could you explain? Note that there is no requirement or security need for CAs to validate proof of possession of a private key. Therefore, it's entirely acceptable for a subscriber to request a certificate for someone else's public key, although the certificate would be useless to them. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy