[cabfpub] Private key control
Ryan Sleevi
sleevi at google.com
Thu Oct 23 14:16:16 MST 2014
Can you describe a situation in which this "oversight" creates any
meaningful security issue?
On Wed, Oct 22, 2014 at 6:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> During the Code Signing BR discussion a few weeks ago, we noticed that
> the Baseline Requirements lack a definitive requirement for the CA to
> confirm that the Application is properly associated with the Public Key
> being included in the certificate. We’d like to remedy this oversight.
> What does everyone thing about adding a section similar to the following to
> the BRs?
>
> Section 11.1.5 Verification of Key Pair Association
>
> Prior to issuing a Certificate, the CA MUST verify that the Applicant’s
> Private Key is properly associated with the Public Key and a subject name
> to be included in the Certificate. The CA MAY verify this association by
> obtaining a CSR from the Applicant.
>
>
>
> Jeremy
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141023/5df9ac1d/attachment.html
More information about the Public
mailing list