According to Jeremy (see below), that was not the situation.
On 15/04/2019 14:09, Man Ho wrote:
I don't think that it's trivial for less-skilled user to obtain the CSR
of "DigiCert Global Root G2" certificate and posting it in the request
of another certificate, right?
On 15-Apr-19 6:57 PM, Jakob Bohm via dev-security-policy wrote:
Thanks for the explanation.
Is it possible that a significant percentage of less-skilled users
simply pasted in the wrong certificates by mistake, then wondered why
their new certificates newer worked?
Pasting in the wrong certificate from an installed certificate chain or
semi-related support page doesn't seem an unlikely user error with that
design.
On 12/04/2019 18:56, Jeremy Rowley wrote:
I don't mind filling in details.
We have a system that permits creation of certificates without a CSR
that works by extracting the key from an existing cert, validating
the domain/org information, and creating a new certificate based on
the contents of the old certificate. The system was supposed to do a
handshake with a server hosting the existing certificate as a form of
checking control over the private key, but that was never
implemented, slated for a phase 2 that never came. We've since
disabled that system, although we didn't file any incident report
(for the reasons discussed so far).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
