[cabfpub] Private key control
sleevi at google.com
Thu Oct 23 14:16:16 MST 2014
Can you describe a situation in which this "oversight" creates any
meaningful security issue?
On Wed, Oct 22, 2014 at 6:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> During the Code Signing BR discussion a few weeks ago, we noticed that
> the Baseline Requirements lack a definitive requirement for the CA to
> confirm that the Application is properly associated with the Public Key
> being included in the certificate. We’d like to remedy this oversight.
> What does everyone thing about adding a section similar to the following to
> the BRs?
> Section 11.1.5 Verification of Key Pair Association
> Prior to issuing a Certificate, the CA MUST verify that the Applicant’s
> Private Key is properly associated with the Public Key and a subject name
> to be included in the Certificate. The CA MAY verify this association by
> obtaining a CSR from the Applicant.
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public