Inspired by @sleevi_ in m.d.s.p.: Detail a meaningful attack that exploits a CA not verifying proof of possession of the private key for the public key in the CSR, or explain why there could never be such a meaningful attack. (FWIW, most USG standards mandate CAs verify PoP.)
-
-
I don’t think that’s the sole property - e.g. protocols that do lookups or keys to identities, or identities to keys, both need PoP (e.g. S/MIME)
-
Perhaps, though is there ever a need to do lookups that aren't in conjunction with verifying or encrypting a message - in which case you can bind the identity to the message to prevent attacks?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.