On Wed, Feb 02, 2022 at 06:23:59AM +0000, Dimitris Zacharopoulos wrote: > I believe the phrase "previously demonstrated" may be misinterpreted to > mean the initial CSR submission, as Wilson and Ryan described. > > There needs to be some sort of "fresh" or new demonstration of controlling > the compromised key so that other Subscribers can be safe from the DoS > scenario. Hope this sounds reasonable.
Can you explain your reasoning here? If a subscriber proved possession at time of issuance, what scenario is there where that same subscriber saying "this key is compromised" could cause a DoS on another legitimate subscriber? Note that by "proved possession" I'm not referring to CAs who just use the CSR as a convenient way of receiving the public key. I understand that if a CA doesn't validate that the details in the CSR matches the details in the issued certificate, that doesn't prevent the DoS scenario, but I also don't consider that to provide proof of possession. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220204002055.GA11647%40hezmatt.org.
