Q for PKI Twitter: how bad is it if a CA doesn't verify CSR signature? BRs don't require, correct? EKU is TLS server/client. cc: @sleevi_
@sleevi_ That section is empty... And yeah, I think TLS is OK since swapping out a certificate would be detected in the Finished message.
-
-
@__agwa Well, I'm not even speaking of TLS attacks. It just means a CA would certify Key B (attacker) than Key A, which is, yanno, bad. -
@sleevi_ I agree; just trying to gauge implications here. And do BRs really require it or is that section artifact of RFC 3647 conversion? -
@__agwa I'm saying BRs don't require you validate the CSR signature, AFAIK :) That said, you SHOULD make sure key+applicant are same ;) -
@sleevi_ Gotcha :-) Thanks.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.