Inspired by @sleevi_ in m.d.s.p.: Detail a meaningful attack that exploits a CA not verifying proof of possession of the private key for the public key in the CSR, or explain why there could never be such a meaningful attack. (FWIW, most USG standards mandate CAs verify PoP.)
-
Show this thread
-
Replying to @BRIAN_____ @sleevi_
There's no attack against TLS 1.3 because the private key is used to sign a handshake transcript which includes the certificate. This is a superset of the information in a CSR, so it accomplishes at least as much as CSR self-signature. Bonus: it's fresh and not reliant on a TTP.
1 reply 0 retweets 3 likes -
Earlier versions of TLS are similar: the certificate is authenticated by a shared secret known only by client and holder of the private key.
2 replies 0 retweets 1 like -
I'm not sure that's the case?https://blog.cryptographyengineering.com/2014/04/24/attack-of-week-triple-handshakes-3shake/ …
1 reply 0 retweets 1 like
Right. I didn't phrase that Tweet well. If the holder of the certificate private key wants to play shenanigans with the MS they can. But that's not applicable to the no-proof-of-possession scenario because in that case the would-be attacker doesn't hold the private key.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.