On Tue, Dec 11, 2018 at 08:00:59AM +0000, Jeremy Rowley via dev-security-policy wrote: > I think pretty much every ca will accept a signed file in lieu of an > actual key.
You'd rather hope so. If there are any CAs out there who *wouldn't* accept a signature from the private key as proof of compromise it would be interesting to hear from them as to why they don't believe that constitutes proof of compromise. > Generally provide the key just means some proof of compromise the ca can > replicate. Indeed. The disagreement is around what constitutes "proof" and how much effort the CA is willing to go to to perform the replication. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy