Robin Alden: > f) refers to an SSL product which is limited in such a way that it isn't > generally usable on the public internet. We offer no warranty on the > product, and the main part of the domain validation is to ensure that the > domain name in the certificate is not a valid internet name or, if the > certificate is for an explicit IP address, that the IP address is not > internet routable. > > We do issue quite a number of these certificates, especially for use within > enterprise organizations. > We don't issue many to localhost in particular but we have issued some! >
Thanks Rob for this information. I want to raise here a concern about this practice. I view hostname based certificates not something public CAs should be involved since with little knowledge an attack on those sites is rather easy to perform. Considering that NO validations are performed nor that the hostnames have to be unique (considering that you mentioned that you issue SOME certificates for "localhost", which is more than one), I suspect this to be in contradiction to the Mozilla CA Policy: In http://www.mozilla.org/projects/security/certs/policy/ section 7 explicitly states: "for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" Uniqueness of the common name field is not mentioned explicit in the Mozilla CA policy, but nevertheless it's industry standard that CN fields are unique per issuer (for server certificates). Now, issuing certificates for hostnames AND no uniqueness is required, I few the risk even higher (since the same issuer might issue the same certificates, one which might be used for such an attack). Please note that there is NO validation performed, meaning anybody literally can get a certificate as would be used somewhere else... Disclaiming any warranty doesn't cut I think...than why issue them in first place? Now, I suggest to Frank to review this matter seriously and to evaluate the risk which might be involved with hostname based certificates. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
