On Mon, May 18, 2020 at 12:44 PM Ryan Sleevi <[email protected]> wrote:
> The scenario you ascribe to > StartCom is exactly what is recommended, of CAs, in numerous CA > incident bugs where the failure to apply that restrictive model has > lead to misissuance. > Separate to the matter in discussion in this thread, my understanding of CSR processing best practice mirrored what you say here -- take the minimum that you require from the structure and discard the rest. I was surprised in reading the ACME specs that various factors for issuance rely upon data in the rather flexible but (relatively) complex data structure that is the CSR, like requested DNS names, whether or not OCSP must-staple is desired, etc. I am curious what the authors' intent was there. Was it possibly a desire to adhere to the original functional intent of the CSR as elsewhere specified, irrespective of the known risks which had been previously demonstrated in bad CA implementations? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
