Corey Bonnell <> writes:

>Certificate renewal that uses the existing certificate as input, rather than
>a CSR. The (presumably expiring) certificate supplies the domains,
>organization info, and the public key for the renewal certificate request. In
>this case there is no proof of key possession absent some out-of-band process
>(TLS handshake with the web server, etc).

But if it's a renewal based on an existing cert, meaning that someone already
had a cert for a key they don't control, that means that at some point in the
past the CA turned a CSR for a key the requester doesn't control into a cert.

In particular, there must have been some authorisation carried out at some
point, or perhaps that wasn't carried out, that indicates who requested the
cert.  What I'm trying to discover is where the gap was, and what's required
to fix it in the future.



dev-security-policy mailing list

Reply via email to