Describe subscriber key checks (#262)

Fixes #227
letsencrypt · Jan 15, 2025 · fc17e8c · fc17e8c
1 parent c21f852
commit fc17e8c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/CP-CPS.md b/CP-CPS.md
@@ -827,7 +827,7 @@ If a suitable successor entity does not exist, the following steps will be taken
 
 ISRG CA Private Keys are generated by HSMs meeting the requirements of Section 6.2.1. This occurs during a ceremony meeting the requirements of this CP/CPS.
 
-See the Let's Encrypt Subscriber Agreement for information regarding Subscriber key pair generation.
+See the Let's Encrypt Subscriber Agreement for information regarding Subscriber key pair generation. Once submitted as part of a certificate request, Subscriber Public Keys are rejected if they do not meet our size requirements (see Section 6.1.5), can be easily compromised by certain attacks (e.g. ROCA, Fermat factorization), or appear in our database of known-weak and known-compromised keys.
 
 ### 6.1.2 Private key delivery to subscriber