Re: Digicert issued certificate with let's encrypts public key

On Sat, May 16, 2020 at 8:18 PM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Browsing crt.sh, I found this: https://crt.sh/?id=1902422627 > > > >It's a certificate for api.pillowz.kz with the public key

Re: Digicert issued certificate with let's encrypts public key

Peter Bowen writes: >There is no requirement to submit a PKCS#10 CSR.  Hmm, so what sort of issue process allows you to obtain a certificate for a key you don't control? Peter. ___ dev-security-policy mailing list

Re: Digicert issued certificate with let's encrypts public key

> In particular, there must have been some authorisation carried out at some > point, or perhaps that wasn't carried out, that indicates who requested the > cert. What I'm trying to discover is where the gap was, and what's > required > to fix it in the future. > What gap, exactly? There’s not

Re: Digicert issued certificate with let's encrypts public key

On Sun, May 17, 2020 at 10:47 PM Peter Gutmann via dev-security-policy wrote: > I assume this is ACME that allows a key to be certified without any proof that > the entity requesting the certificate controls it? I don't know that any of > the PKIX protocols allow it. I do not see anywhere in

Re: Digicert issued certificate with let's encrypts public key

Corey Bonnell writes: >Certificate renewal that uses the existing certificate as input, rather than >a CSR. The (presumably expiring) certificate supplies the domains, >organization info, and the public key for the renewal certificate request. In >this case there is no proof of key possession

Re: Digicert issued certificate with let's encrypts public key

Matthew Hardeman writes: >What gap, exactly?  There’s not a risk here. There are attacks possible, but this stuff was covered more than twenty years ago by PKIX and I can't remember the specifics. It was around various ways of fooling a victim that you'd signed something that you hadn't based

Re: Digicert issued certificate with let's encrypts public key

On Mon, May 18, 2020 at 03:46:46AM +, Peter Gutmann via dev-security-policy wrote: > I assume this is ACME that allows a key to be certified without any proof that > the entity requesting the certificate controls it? ACME requires a CSR to be submitted in order to get the certificate issued.

RE: Digicert issued certificate with let's encrypts public key

I thought I posted on this a while ago, but I can't seem to find the post. It may have been CAB Forum (where the archives are nearly useless). The conclusion from that is the CSR isn't required as part of the issuance process because there isn't a risk without having actual control over the