On Mon, May 18, 2020 at 6:55 PM Kyle Hamilton <kya...@kyanha.net> wrote:
> So, I request and encourage that CABForum members consider populating > clause 3.2.1 of the Basic Requirements, so that Proof-of-Possession be > mandated. > I don't mean to beat a dead horse, and without addressing the merits of trying to consider a leaf certificate issued over a particular public key as proof-of-possession/control of the corresponding private key, I add one further practical problem: The standard use of the most common way of communicating the public key and the purported proof-of-possession of the private key to the CA, the CSR, does not provide replay protection and yet is frequently NOT treated as a security impacting element should it be disclosed post-issuance. As such, one must question if an arbitrary CSR which contains a valid signature produced using the private key which corresponds to the subject public key in same said CSR is really qualified to be considered proof-of-possession (or proof of control) of said private key. I submit that it is not. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
