On Sun, May 17, 2020 at 10:47 PM Peter Gutmann via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I assume this is ACME that allows a key to be certified without any proof that > the entity requesting the certificate controls it? I don't know that any of > the PKIX protocols allow it. I do not see anywhere in ACME that specifies how an ACME server or the CA are to treat the CSR's signature field. Based on that, there is nothing specific in ACME allowing this behavior. (The only place I see talking about the private key associated with the cert's public key is to sign messages for revocation.) -carl mehner _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy