Inspired by @sleevi_ in m.d.s.p.: Detail a meaningful attack that exploits a CA not verifying proof of possession of the private key for the public key in the CSR, or explain why there could never be such a meaningful attack. (FWIW, most USG standards mandate CAs verify PoP.)
-
Show this thread
-
Replying to @BRIAN_____ @sleevi_
There's no attack against TLS 1.3 because the private key is used to sign a handshake transcript which includes the certificate. This is a superset of the information in a CSR, so it accomplishes at least as much as CSR self-signature. Bonus: it's fresh and not reliant on a TTP.
1 reply 0 retweets 3 likes -
Earlier versions of TLS are similar: the certificate is authenticated by a shared secret known only by client and holder of the private key.
2 replies 0 retweets 1 like -
In general, I think any protocol which includes the identity of sender in signed message, or identity of recipient in encrypted message, doesn't need CA to check PoP, because there's no way for private key to be used with an unexpected identity.
1 reply 0 retweets 1 like -
Replying to @__agwa @BRIAN_____
I don’t think that’s the sole property - e.g. protocols that do lookups or keys to identities, or identities to keys, both need PoP (e.g. S/MIME)
1 reply 0 retweets 2 likes
Perhaps, though is there ever a need to do lookups that aren't in conjunction with verifying or encrypting a message - in which case you can bind the identity to the message to prevent attacks?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.