Robin Alden: > f) refers to an SSL product which is limited in such a way that it isn't > generally usable on the public internet. We offer no warranty on the > product, and the main part of the domain validation is to ensure that the > domain name in the certificate is not a valid internet name or, if the > certificate is for an explicit IP address, that the IP address is not > internet routable. > > We do issue quite a number of these certificates, especially for use within > enterprise organizations. > We don't issue many to localhost in particular but we have issued some! >
Apparently you seem to do all the things a serious CA shouldn't :-) Don't take it personal, but issuing certificates for "localhost"? I meant it rather as a joke... In my opinion, Intranets should secure them either by an internal CA or by using an internal network domain instead of using hostnames. For example the internal network could be represented as intern.domain.com, whereas a certificate would be issued to server.intern.domain.com. The DNS could be served by an internal as well as an external DNS server and point to the internal private IP addresses. An attack on hostnames is rather easy and I guess no validation is performed nor uniqueness is guarantied either. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
