[cabfpub] Private key control

Ryan Sleevi sleevi at google.com
Thu Oct 23 21:16:16 UTC 2014

Can you describe a situation in which this "oversight" creates any
meaningful security issue?

On Wed, Oct 22, 2014 at 6:56 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

>  During the Code Signing BR discussion a few weeks ago, we noticed that
> the Baseline Requirements lack a definitive requirement for the CA to
> confirm that the Application is properly associated with the Public Key
> being included in the certificate.  We’d like to remedy this oversight.
> What does everyone thing about adding a section similar to the following to
> the BRs?
>  Section 11.1.5    Verification of Key Pair Association
> Prior to issuing a Certificate, the CA MUST verify that the Applicant’s
> Private Key is properly associated with the Public Key and a subject name
> to be included in the Certificate. The CA MAY verify this association by
> obtaining a CSR from the Applicant.
> Jeremy
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141023/5df9ac1d/attachment-0003.html>

More information about the Public mailing list