On Thu, Jan 27, 2022 at 8:52 PM 'Alex Cohn' via [email protected] <[email protected]> wrote:
> >> - >> >> the certificate subscriber, *who has provided proof of possession of >> the private key**, *requests that the CA revoke the certificate for >> this reason. >> >> Maybe I'm misreading this, but adding the requirement to prove possession > of the private key seems to me to make the last line entirely redundant: > providing proof of possession of a certificate's private key, combined with > a request for revocation for key compromise, would seem to me to qualify as > "verifiable evidence that the certificate subscriber’s private key > corresponding to the public key in the certificate suffered a key > compromise." > I think the current language was trying to capture what I raised in my previous reply: that the proof of possession wouldn’t necessarily accompany the request for revocation, but may have been completed previously (e.g. during issuance, via a CSR) > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHF%2B37QEw4yvROP22FBrdn8xKaTvUNLMyf8ZdHTzwhjPzA%40mail.gmail.com.
