Tomas Gustavsson <tomas.gustavs...@keyfactor.com> writes: >I'd like to add that adding a challenge-response POP need to be built into >protocols as well, not only in CSR formats/specification. Only adding a >method for this to PKCS#10, without also specifying how it is to be used in >ACME, CMP, EST and SCEP will most likely wreak total havoc.
We also need to ask CAs and users what they want. The advantage of a CSR is that it can be pasted into a web form, emailed, POSTed to a server, and many other mechanisms. Challenge-response PoP breaks all of that, which means it breaks most of the common mechanisms for getting a cert outside the web PKI where CSRs are near-universal. So even adding a mechanism for this to PKCS #10 will wreak total havoc, or in practice just get ignored. This is why the nearly 30-year-old PKCS #10, like the B52, keeps outliving all of its successors, it gets the job done in a way that suits users. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
