On Sat, Feb 05, 2022 at 04:23:05PM -0600, Matthew Hardeman wrote: > Rather than accept the presentation of any arbitrary CSR over a given key > as proof of possession of a key for purposes of revocation request, why not > require that the party purporting possession/control/knowledge of the key > instead create a CSR with a randomly chosen (by CA) value in the CSR > subject like CN=rev-req-01233456789.revoketarget.com?
This is problematic for situations like pwnedkeys.com, where I'd like to not have to keep every pwned key online to interactively prove possession every time someone needs proof of compromise. Are there any weaknesses you can see in the key compromise attestation pre-draft RFC I've got at https://github.com/pwnedkeys/key-compromise-attestation-rfc? - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20220214235529.GA13429%40hezmatt.org.
