[cabfpub] Private key control
Richard Wang
richard at wosign.com
Thu Oct 23 17:31:04 MST 2014
I think this is no necessary since the CSR is generated by XEnroll in real time while applying the code signing cert, it should be associated.
Best Regards,
Richard
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, October 24, 2014 5:16 AM
To: Jeremy Rowley
Cc: CABFPub
Subject: Re: [cabfpub] Private key control
Can you describe a situation in which this "oversight" creates any meaningful security issue?
On Wed, Oct 22, 2014 at 6:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:
During the Code Signing BR discussion a few weeks ago, we noticed that the Baseline Requirements lack a definitive requirement for the CA to confirm that the Application is properly associated with the Public Key being included in the certificate. We’d like to remedy this oversight. What does everyone thing about adding a section similar to the following to the BRs?
Section 11.1.5 Verification of Key Pair Association
Prior to issuing a Certificate, the CA MUST verify that the Applicant’s Private Key is properly associated with the Public Key and a subject name to be included in the Certificate. The CA MAY verify this association by obtaining a CSR from the Applicant.
Jeremy
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141024/514cc3a0/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6128 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141024/514cc3a0/attachment-0001.bin
More information about the Public
mailing list