> In particular, there must have been some authorisation carried out at some
> point, or perhaps that wasn't carried out, that indicates who requested the
> cert.  What I'm trying to discover is where the gap was, and what's
> required
> to fix it in the future.

What gap, exactly?  There’s not a risk here.

I don’t think it’s been codified that private key possession or control has
to be demonstrated.

I think it would be plausible for a CA to allow submission of a public key
in lieu of a CSR and that nothing would be wrong about it.
dev-security-policy mailing list

Reply via email to