John Gray <john.g...@entrust.com> writes: >You can replay the CSR and get the certificate request by the original party >signed by whatever CA you want, but would that do you any good if you don't >have the private key?
That's exactly the point, which others have also made in the thread. Yes, you can do this, but then what? Or, to be pedantic, "then what that's actually useful in practice to an attacker rather than something that justifies a conference paper?". In other words, what real-world problem are we actually solving by requiring PoP, how much existing practice will it break by doing so, and is it worth the cost? Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
