On Mon, May 18, 2020, 19:46 Ryan Sleevi wrote:
> On Mon, May 18, 2020 at 7:55 PM Kyle Hamilton via dev-security-policy
> wrote:
>
> > Regardless of that potential con, though, there is one very important
> thing
> > which Proof of Possession is good for, regardless
That is my reading of the situation, that they're not doing an actual
certification of an enrollment without verifying the actual key-identity
binding.
In addition, I'm wondering if the concept of "third-party attestation" (of
identity) is even a thing anymore, given that most CAs issue certificat
CABForum's current Basic Requirements, section 3.2.1, is titled "Method to
prove possession of private key".
It is currently blank.
A potential attack without Proof of Possession which PKIX glosses over
could involve someone believing that a signature on a document combined
with the non-possessio
Another article about this is
http://www.securityweek.com/francisco-partners-acquires-comodo-ca .
Notably, I'm not seeing anything in the official news announcements
pages for either Francisco Partners or Comodo. Is this an attempt at
another StartCom (silent ownership transfer), or is it a c
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
5 matches
Mail list logo
