That is my reading of the situation, that they're not doing an actual certification of an enrollment without verifying the actual key-identity binding.
In addition, I'm wondering if the concept of "third-party attestation" (of identity) is even a thing anymore, given that most CAs issue certificates for their own websites. -Kyle H On Mon, May 18, 2020, 22:58 Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > A bit of philosophical question here: Certificates are pretty much > universally > described in PKI texts and the like as a cryptographic binding between an > identity and a key, in other words an assertion by the CA that the key in > the > cert is associated with the identity in the cert. > > If there's no requirement to verify that this is the case by CAs issuing > certificates, doesn't this make what they're producing a non-certificate? > > This isn't snark, it's a genuine question: If the CA isn't checking that > the > entity they're certifying controls the key they're certifying, aren't they > then not acting as CAs any more? > > Peter. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy