On Mon, May 18, 2020 at 12:44 PM Ryan Sleevi <r...@sleevi.com> wrote:

> The scenario you ascribe to
> StartCom is exactly what is recommended, of CAs, in numerous CA
> incident bugs where the failure to apply that restrictive model has
> lead to misissuance.

Separate to the matter in discussion in this thread, my understanding of
CSR processing best practice mirrored what you say here -- take the minimum
that you require from the structure and discard the rest.  I was surprised
in reading the ACME specs that various factors for issuance rely upon data
in the rather flexible but (relatively) complex data structure that is the
CSR, like requested DNS names, whether or not OCSP must-staple is desired,

I am curious what the authors' intent was there.  Was it possibly a desire
to adhere to the original functional intent of the CSR as elsewhere
specified, irrespective of the known risks which had been previously
demonstrated in bad CA implementations?
dev-security-policy mailing list

Reply via email to