[SSL Observatory] https://controller.mobile.lan
Jacob Appelbaum
jacob at appelbaum.net
Tue Feb 7 00:26:52 PST 2012
Hi Dean,
On 02/07/2012 03:19 AM, Dean Coclin wrote:
> This is Dean from Symantec. I'd like to offer the following with regard to
> your question about this certificate:
>
> This is a legitimate certificate that VeriSign issued to Securepoint for
> their Network Access Controller (NAC). See
> http://download.securepoint.de/files/Handbuecher/NAC/NAC_Common_Delegated_Ad
> ministration_Guide.pdf
>
I think we disagree about the "legitimate" part of your statement.
Perhaps you mean intentional?
>
> Customers have approached VeriSign with a similar need: they produce an app
> or appliance that is to be deployed in their customer's network, and they
> want out-of-the-box SSL certificate protection. Since they cannot know in
> advance what will be the host name that their customer will provide for the
> app or appliance (and they don't wish to burden their customer with the task
> of generating and
> installing an SSL certificate after installation), they purchase an SSL
> certificate for an internal-only domain name, and deploy the same private
> key and certificate in each app or appliance.
>
So if one of these systems is compromised, what happens?
> As was pointed out, this cert was issued in 2010. The CAB Forum has
> addressed the issuance of SSL certs to non FQDNs in the baseline
> requirements which were recently adopted.
>
Is it true that the new requirements won't come into effect until 2016?
All the best,
Jacob
More information about the Observatory
mailing list