On Tuesday, March 10, 2020 at 1:25:21 PM UTC-7, bif wrote: > Matt, > > Voluntarily providing CSR is not an ideal way to prove key compromise, > because you could've simply found this CSR somewhere (I know, I know, super > unlikely with your Subject... but still could happen.) >
While a CSR isn't particularly sensitive in itself, people don't often go around posting them publicly. One of the most likely places to find it is on the machine it was generated on, indicating that the machine holding the private key was probably breached, or somewhere in a CA's infrastructure, indicating the CA was breached. Even if the person providing the CSR *doesn't*, in fact, have the private key, I'd be extremely worried about who *does*. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy