Well… given that anyone can generate a CSR containing arbitrary information, taking this a a criteria for linking the public key with the “who” can lead to dangerous assumptions. Anyway I understand your exercise and intent. In our case we don’t see fit taking anything from the CSR but the public
Hi,
It seems simply, as a method of tracking, that Certificate Issuers might
find it helpful to have an email address in the CSR. Plus, if you're
establishing proof of possession, then doesn't it help to know something
about "who" is asserting possession of the key pair? (I don't think a CSR
with
That’s an interesting point, but the same than there’s no need to consider the domains coming in the CSR to issue TLS certificates, I personally don’t see the practical need here. For example… We could have an Enterprise RA that can issue certs for any email address in a set of preauthorized
Shouldn't at least the email address be included, and verified, of course,
by the CA?
On Fri, Sep 29, 2023, 11:35 AM Pedro FUENTES wrote:
> +1
>
>
> Le 29 sept. 2023 à 17:52, Clint Wilson via Smcwg-public <
> smcwg-public@cabforum.org> a écrit :
>
> Hi all,
>
> In my opinion, CSRs should
+1
> Le 29 sept. 2023 à 17:52, Clint Wilson via Smcwg-public
> a écrit :
>
> Hi all,
>
> In my opinion, CSRs should really be limited to conveying the public key and
> a proof of possession of the private key; the fields included therein may act
> as confirmatory signals for a CA, but
