Jeremy Rowley via dev-security-policy <> 

>For those interested, the short of what happened is that we had an old
>service where you could replace existing certificates by having DigiCert
>connect to a site and replace the certificate with a key taken from the site
>after a TLS connection. No requirement for a CSR since we obtained proof of
>key control through a TLS connection with the website. Turned out the
>handshake didn't actually take the key, but allowed the customer to submit a
>different public key without a CSR. We took down the service a while ago -
>back in November I think. I plan to put it back up when we work out the kink
>with it not forcing the key to match the key used in the handshake.

Thanks, that was the info I was after: was this a general problem that we need
to check other systems for as well, or a situation-specific issue that
affected just one site/system but no others.  Looks like other systems are

dev-security-policy mailing list

Reply via email to