On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote: > 1. *Are* there explicit prohibitions on issuing a certificate for a private > key which has been previously submitted *to that CA* as compromised > (assuming, of course, that the prior submission was valid), and I'm just > not good at finding said prohibitions? > BR 6.1.1.3 has a weak key clause, "The CA SHALL reject a certificate request if the requested Public Key does not meet the requirements set forth in Sections 6.1.5 and 6.1.6 or if it has a known weak Private Key (such as a Debian weak key, see http://wiki.debian.org/SSLkeys)."
I would think that "issuing a certificate for a private key which has been previously submitted *to that CA* as compromised" is not in the spirit of the weak key clause. It would be best if the CA would blacklist the public key to prevent future issuance for the compromised private key. Bruce. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
