On Mon, May 18, 2020 at 03:46:46AM +0000, Peter Gutmann via dev-security-policy 
> I assume this is ACME that allows a key to be certified without any proof that
> the entity requesting the certificate controls it?

ACME requires a CSR to be submitted in order to get the certificate issued. 
A quick scan doesn't show anything like "the signature on the CSR MUST be
validated against the key", but it does talk about policy considerations
around weak signatures on CSRs and such, suggesting that it was at least the
general intention of ACME to require signatures on CSRs to be validated.

In any event, given that the certs involved were issued by Digicert, not
Let's Encrypt, and Digicert's ACME issuance pipeline is somewhat of a niche
thing at present, I think it's more likely the problem lies elsewhere.

- Matt

dev-security-policy mailing list

Reply via email to