On Mon, May 18, 2020 at 03:46:46AM +0000, Peter Gutmann via dev-security-policy wrote: > I assume this is ACME that allows a key to be certified without any proof that > the entity requesting the certificate controls it?
ACME requires a CSR to be submitted in order to get the certificate issued. A quick scan doesn't show anything like "the signature on the CSR MUST be validated against the key", but it does talk about policy considerations around weak signatures on CSRs and such, suggesting that it was at least the general intention of ACME to require signatures on CSRs to be validated. In any event, given that the certs involved were issued by Digicert, not Let's Encrypt, and Digicert's ACME issuance pipeline is somewhat of a niche thing at present, I think it's more likely the problem lies elsewhere. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
