[SSL Observatory] https://controller.mobile.lan

Dean Coclin dean.j.coclin at verizon.net
Mon Feb 6 18:19:09 PST 2012 

This is Dean from Symantec. I'd like to offer the following with regard to
your question about this certificate:

This is a legitimate certificate that VeriSign issued to Securepoint for
their Network Access Controller (NAC). See
http://download.securepoint.de/files/Handbuecher/NAC/NAC_Common_Delegated_Ad
ministration_Guide.pdf

 
Customers have approached VeriSign with a similar need: they produce an app
or appliance that is to be deployed in their customer's network, and they
want out-of-the-box SSL certificate protection. Since they cannot know in
advance what will be the host name that their customer will provide for the
app or appliance (and they don't wish to burden their customer with the task
of generating and 
installing an SSL certificate after installation), they purchase an SSL
certificate for an internal-only domain name, and deploy the same private
key and certificate in each app or appliance.

As was pointed out, this cert was issued in 2010. The CAB Forum has
addressed the issuance of SSL certs to non FQDNs in the baseline
requirements which were recently adopted.

Dean Coclin

-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Daniel Kahn Gillmor
Sent: Monday, February 06, 2012 3:09 PM
To: EFF Observatory
Subject: Re: [SSL Observatory] https://controller.mobile.lan

On 02/06/2012 02:42 PM, Jacob Appelbaum wrote:
> I'm at a hotel in Munich and I found a rather funny cert performing a 
> full MITM for *:443 - https://controller.mobile.lan is signed by VeriSign.
> 
> CN = VeriSign Class 3 Secure Server CA - G2


interesting.  I can confirm that this verifies through the attached
intermediate certificate to the root shipped by Mozilla as:

  Verisign Class 3 Public Primary Certification Authority - G2

>             X509v3 CRL Distribution Points:
>                 
> URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl

This CRL does not list the certificate's serial number.

So, is .lan a known TLD, or was Verisign issuing certificates for non-FQDNs
as recently as august 2010.

Anyone from Verisign want to comment on this?

	--dkg

More information about the Observatory mailing list