On Sat, May 16, 2020 at 10:11 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Sat, May 16, 2020 at 10:04:24AM -0400, Andrew Ayer via > dev-security-policy wrote: > > On Sat, 16 May 2020 14:02:42 +0200 > > Kurt Roeckx via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > > https://crt.sh/?id=1902422627 > > > > > > It's a certificate for api.pillowz.kz with the public key of Let's > > > Encrypt Authority X1 and X3 CAs. > > > > > > It's revoked since 2020-01-31, but I couldn't find any incident > > > report related to it. > > > > Hi Kurt, > > > > It's not obvious what's non-compliant about this certificate - could you > > explain? Note that there is no requirement or security need for CAs to > > validate proof of possession of a private key. > > I was under the impression that there was. But looking at the BRs, > 3.2.1 is just empty. Yeah, that’s intentional, at least with regards to server certificates, as it is not necessary for such certificates. As Andrew mentioned, there are no requirements here and it’s not a violation of any expectation, in the Baseline Requirements or in any Root Programs’ policies. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
