Corey Bonnell <cbonn...@outlook.com> writes: >Certificate renewal that uses the existing certificate as input, rather than >a CSR. The (presumably expiring) certificate supplies the domains, >organization info, and the public key for the renewal certificate request. In >this case there is no proof of key possession absent some out-of-band process >(TLS handshake with the web server, etc).
But if it's a renewal based on an existing cert, meaning that someone already had a cert for a key they don't control, that means that at some point in the past the CA turned a CSR for a key the requester doesn't control into a cert. In particular, there must have been some authorisation carried out at some point, or perhaps that wasn't carried out, that indicates who requested the cert. What I'm trying to discover is where the gap was, and what's required to fix it in the future. Peter. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy