On Fri, Feb 04, 2022 at 12:20:16AM +0000, Rob Stradling wrote: > 1. Self-sign some sort of "Key Compromise Request" (KCR) that a CA can > unambiguously treat as a declaration of key compromise by a holder of that > key. Ideally a KCR would be a new type of object that can't be parsed as > a CSR (e.g., see > https://secure.sectigo.com/products/RevocationPortalDetails?action=2a);
That's not a Key Compromise Request, because it requires an issued certificate. It's impossible to generate such a Key Compromise Request without an already-issued certificate. > or, as some folks have done, a KCR could be a CSR that contains some sort > of textual indication of intent such as "subject:CN=This CSR is intended > to prove key compromise". Such as https://github.com/pwnedkeys/key-compromise-attestation-rfc. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220204045325.GB11647%40hezmatt.org.
