A CSR does not prove possession of a key. CSRs are generally not treated as confidential data, and are frequently posted in public places <https://github.com/search?q=%22BEGIN+CERTIFICATE+REQUEST%22&type=code>. A CSR proves that someone possessed the corresponding private key at some time in the past, but not that the current Applicant controls the private key at the time they are requesting issuance.
Also, the BRs do not specifically require that a CA accept issuance requests in the form of a CSR; it is easy to imagine a CA having a web portal to which you upload the desired public key PEM without signing anything with the corresponding private key. Aaron On Tue, Oct 29, 2024 at 6:37 PM Watson Ladd <[email protected]> wrote: > On Tue, Oct 29, 2024 at 6:03 PM 'Aaron Gable' via > [email protected] <[email protected]> > wrote: > ><snip> > > And so finally, the strongest reason of all: per the Baseline > Requirements, if a CA treats a key as compromised, then they are required > to revoke all other certificates which share that key within 24 hours. > Therefore a CA has a prerogative to treat a key as compromised only when > that compromise has been demonstrated (e.g. by seeing the private key > themselves, receiving an ACME revocation request signed by that key, or > receiving a CSR with a "this key is compromised" subject signed by that > key). Otherwise they open themselves up to denial-of-service attacks: a > malicious actor could identify a victim site, apply for a certificate > containing the same public key, revoke that certificate with reason > unspecified, and let the CA do the rest of the work to treat that as a > keyCompromise and revoke the target site's cert as well. > > Minor technical note: a CSR proves possession of the key, so this > isn't possible AFAIK. > > > Aaron > > > > -- > > You received this message because you are subscribed to the Google > Groups "[email protected]" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreLnZH2eqLc2QmBoDTmkRNcrRkYt9h%3DMNAv5gPDZynKqw%40mail.gmail.com > . > > > > -- > Astra mortemque praestare gradatim > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfMC3vCOaXQyZciykjK5ov3v69V4kRyHqiuWVVEgRFceQ%40mail.gmail.com.
