@__agwa Section 3.2.1 of the BRs (v1.3.1)
-
-
-
@__agwa And the CSR sig check primarily serves as a proof of possession check. Without that, you've got substitution attacks, but may be OK -
@sleevi_ That section is empty... And yeah, I think TLS is OK since swapping out a certificate would be detected in the Finished message. -
@__agwa Well, I'm not even speaking of TLS attacks. It just means a CA would certify Key B (attacker) than Key A, which is, yanno, bad. -
@sleevi_ I agree; just trying to gauge implications here. And do BRs really require it or is that section artifact of RFC 3647 conversion? -
@__agwa I'm saying BRs don't require you validate the CSR signature, AFAIK :) That said, you SHOULD make sure key+applicant are same ;) -
@sleevi_ Gotcha :-) Thanks.
End of conversation
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.