That is my reading of the situation, that they're not doing an actual
certification of an enrollment without verifying the actual key-identity

In addition, I'm wondering if the concept of "third-party attestation" (of
identity) is even a thing anymore, given that most CAs issue certificates
for their own websites.

-Kyle H

On Mon, May 18, 2020, 22:58 Peter Gutmann via dev-security-policy <> wrote:

> A bit of philosophical question here: Certificates are pretty much
> universally
> described in PKI texts and the like as a cryptographic binding between an
> identity and a key, in other words an assertion by the CA that the key in
> the
> cert is associated with the identity in the cert.
> If there's no requirement to verify that this is the case by CAs issuing
> certificates, doesn't this make what they're producing a non-certificate?
> This isn't snark, it's a genuine question: If the CA isn't checking that
> the
> entity they're certifying controls the key they're certifying, aren't they
> then not acting as CAs any more?
> Peter.
> _______________________________________________
> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to