A bit of philosophical question here: Certificates are pretty much universally
described in PKI texts and the like as a cryptographic binding between an
identity and a key, in other words an assertion by the CA that the key in the
cert is associated with the identity in the cert.

If there's no requirement to verify that this is the case by CAs issuing
certificates, doesn't this make what they're producing a non-certificate?

This isn't snark, it's a genuine question: If the CA isn't checking that the
entity they're certifying controls the key they're certifying, aren't they
then not acting as CAs any more?

dev-security-policy mailing list

Reply via email to