On Wed, 05 Oct 2022 13:39:32 +1100 "Martin Thomson" <[email protected]> wrote:
> The integrity of TLS doesn't depend on the key holder presenting > proof of possession toward the issuing CA. Perhaps we could define > an extension that produced an empty signature, so that it could be > used for any algorithm without these complications... You are of course right that from the basic security properties of TLS there is no need for a certificate requester to show key possession. However I always considered this self-signature a kind of safeguard that will in practice prevent a number of issues: * People don't understand how keys and certificates work and will use a public key from someone else. * It will likely prevent various kinds of malformed or corrupted keys to be present in certificates that are unable to generate valid signatures. I find these desirable features that likely let things fail early in various situations where things go wrong. -- Hanno Böck https://hboeck.de/ _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
