On Sun, May 17, 2020 at 10:47 PM Peter Gutmann via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:

> I assume this is ACME that allows a key to be certified without any proof that
> the entity requesting the certificate controls it?  I don't know that any of
> the PKIX protocols allow it.

I do not see anywhere in ACME that specifies how an ACME server or the
CA are to treat the CSR's signature field. Based on that, there is
nothing specific in ACME allowing this behavior.
(The only place I see talking about the private key associated with
the cert's public key is to sign messages for revocation.)

-carl mehner
dev-security-policy mailing list

Reply via email to