It was just the one system and situation-specific.  

-----Original Message-----
From: dev-security-policy <> On 
Behalf Of Peter Gutmann via dev-security-policy
Sent: Monday, May 18, 2020 6:31 AM
To: Matt Palmer <>; Mozilla 
<>; Jeremy Rowley 
Subject: Re: Digicert issued certificate with let's encrypts public key

Jeremy Rowley via dev-security-policy <> 

>For those interested, the short of what happened is that we had an old 
>service where you could replace existing certificates by having 
>DigiCert connect to a site and replace the certificate with a key taken 
>from the site after a TLS connection. No requirement for a CSR since we 
>obtained proof of key control through a TLS connection with the 
>website. Turned out the handshake didn't actually take the key, but 
>allowed the customer to submit a different public key without a CSR. We 
>took down the service a while ago - back in November I think. I plan to 
>put it back up when we work out the kink with it not forcing the key to match 
>the key used in the handshake.

Thanks, that was the info I was after: was this a general problem that we need 
to check other systems for as well, or a situation-specific issue that affected 
just one site/system but no others.  Looks like other systems are unaffected.

dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to