On Sat, May 16, 2020 at 8:18 PM Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Browsing crt.sh, I found this: https://crt.sh/?id=1902422627
> >
> >It's a certificate for api.pillowz.kz with the public key
Peter Bowen writes:
>There is no requirement to submit a PKCS#10 CSR.
Hmm, so what sort of issue process allows you to obtain a certificate for a key
you don't control?
Peter.
___
dev-security-policy mailing list
> In particular, there must have been some authorisation carried out at some
> point, or perhaps that wasn't carried out, that indicates who requested the
> cert. What I'm trying to discover is where the gap was, and what's
> required
> to fix it in the future.
>
What gap, exactly? There’s not
On Sun, May 17, 2020 at 10:47 PM Peter Gutmann via dev-security-policy
wrote:
> I assume this is ACME that allows a key to be certified without any proof that
> the entity requesting the certificate controls it? I don't know that any of
> the PKIX protocols allow it.
I do not see anywhere in
Corey Bonnell writes:
>Certificate renewal that uses the existing certificate as input, rather than
>a CSR. The (presumably expiring) certificate supplies the domains,
>organization info, and the public key for the renewal certificate request. In
>this case there is no proof of key possession
Matthew Hardeman writes:
>What gap, exactly? There’s not a risk here.
There are attacks possible, but this stuff was covered more than twenty years
ago by PKIX and I can't remember the specifics. It was around various ways of
fooling a victim that you'd signed something that you hadn't based
On Mon, May 18, 2020 at 03:46:46AM +, Peter Gutmann via dev-security-policy
wrote:
> I assume this is ACME that allows a key to be certified without any proof that
> the entity requesting the certificate controls it?
ACME requires a CSR to be submitted in order to get the certificate issued.
I thought I posted on this a while ago, but I can't seem to find the post. It
may have been CAB Forum (where the archives are nearly useless). The conclusion
from that is the CSR isn't required as part of the issuance process because
there isn't a risk without having actual control over the
8 matches
Mail list logo