On May 18, 2020, at 23:58, Peter Gutmann via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:
> This isn't snark, it's a genuine question: If the CA isn't checking that the
> entity they're certifying controls the key they're certifying, aren't they
> then not acting as CAs any more?

They are really only certifying that the requester can control the dns for the 
domain name mentioned in the certificate anyway. The same function DNSSEC 
provides without middle men :)

dev-security-policy mailing list

Reply via email to