> In particular, there must have been some authorisation carried out at some > point, or perhaps that wasn't carried out, that indicates who requested the > cert. What I'm trying to discover is where the gap was, and what's > required > to fix it in the future. >
What gap, exactly? There’s not a risk here. I don’t think it’s been codified that private key possession or control has to be demonstrated. I think it would be plausible for a CA to allow submission of a public key in lieu of a CSR and that nothing would be wrong about it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy