I personally don't care, but Current moziila revocation reason policy <https://wiki.mozilla.org/CA/Revocation_Reasons#End_Entity_TLS_Certificate_CRLRevocation_Reasons> explictly not allow CSR as proof of key possesion: The scope of revocation depends on whether the certificate subscriber has proven possession of the private key of the certificate. A CSR alone does not prove possession of the certificate’s private key for the purpose of initiating a revocation. - If anyone requesting revocation for keyCompromise has previously demonstrated or can currently demonstrate possession of the private key of the certificate, then the CA operator MUST revoke all instances of that key across all subscribers. - If the certificate subscriber requests that the CA operator revoke the certificate for keyCompromise, and has not previously demonstrated and cannot currently demonstrate possession of the associated private key of that certificate, the CA operator MAY revoke all certificates associated with that subscriber that contain that public key. The CA operator MUST NOT assume that it has evidence of private key compromise for the purposes of revoking the certificates of other subscribers, but MAY block issuance of future certificates with that key.
2025년 3월 25일 화요일 오후 3시 56분 10초 UTC+9에 Arabella Barks님이 작성: Suchan Seo, Regarding your concern about being included in the GlobalKeyCompromisedList without proof, I have a technical proposal: Since the CA definitely holds 100% of the CSR (Certificate Signing Request) submitted by the applicant when applying for a certificate, and the CSR contains the signature stamp of the private key on the application message, if the CA submits the CSR together when docking with the GlobalKeyCompromisedList, is it sufficient to prove that the applicant owns the private key? I'm not sure if this is enough to ease your concerns. If there are any errors on my part, I’m pleased and welcome to see your corrections. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2c5ae5d4-e876-4a28-a18a-36bd2c2cc485n%40mozilla.org.
