On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote: > > On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > Apparently, in at least one case, the certificate was issued directly(!) to > > localhost by Symantec. > > > > https://news.ycombinator.com/item?id=14598262 > > > > subject=/C=US/ST=Florida/L=Melbourne/O=AuthenTec/OU=Terms of use at > > www.verisign.com/rpa (c)05/CN=localhost > > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at > > https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 > > reply > > > > Is this a known incident? > > Here is the (since expired) certificate: > https://crt.sh/?q=07C4AD287B850CAA3DD89656937DB1217067407AA8504A10382A8AD3838D153F
As bad as it may sound, issuing certs for internal server name from a public chain was allowed until Oct 2015 (as per BR). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy