[SSL Observatory] https://controller.mobile.lan
Dean Coclin
dean.j.coclin at verizon.net
Mon Feb 6 18:19:09 PST 2012
This is Dean from Symantec. I'd like to offer the following with regard to
your question about this certificate:
This is a legitimate certificate that VeriSign issued to Securepoint for
their Network Access Controller (NAC). See
http://download.securepoint.de/files/Handbuecher/NAC/NAC_Common_Delegated_Ad
ministration_Guide.pdf
Customers have approached VeriSign with a similar need: they produce an app
or appliance that is to be deployed in their customer's network, and they
want out-of-the-box SSL certificate protection. Since they cannot know in
advance what will be the host name that their customer will provide for the
app or appliance (and they don't wish to burden their customer with the task
of generating and
installing an SSL certificate after installation), they purchase an SSL
certificate for an internal-only domain name, and deploy the same private
key and certificate in each app or appliance.
As was pointed out, this cert was issued in 2010. The CAB Forum has
addressed the issuance of SSL certs to non FQDNs in the baseline
requirements which were recently adopted.
Dean Coclin
-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Daniel Kahn Gillmor
Sent: Monday, February 06, 2012 3:09 PM
To: EFF Observatory
Subject: Re: [SSL Observatory] https://controller.mobile.lan
On 02/06/2012 02:42 PM, Jacob Appelbaum wrote:
> I'm at a hotel in Munich and I found a rather funny cert performing a
> full MITM for *:443 - https://controller.mobile.lan is signed by VeriSign.
>
> CN = VeriSign Class 3 Secure Server CA - G2
interesting. I can confirm that this verifies through the attached
intermediate certificate to the root shipped by Mozilla as:
Verisign Class 3 Public Primary Certification Authority - G2
> X509v3 CRL Distribution Points:
>
> URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl
This CRL does not list the certificate's serial number.
So, is .lan a known TLD, or was Verisign issuing certificates for non-FQDNs
as recently as august 2010.
Anyone from Verisign want to comment on this?
--dkg
More information about the Observatory
mailing list