On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley wrote: > Some of these certs are really old. Is there a reason people were using > double dot names? Are they all mistakes in the certificate request or is > there some logic behind them?
Unless I see good evidence to the contrary I will assume mistakes. The personnel with responsibility for obtaining certificates in most organisations know very little about this stuff. If you offer them a box where they can type www. and it doesn't say "Bzzt, wrong! Try again" they will only find out that the resulting certificates are garbage when they try them. Anecdote: My employer uses a popular brand of SSL-intercepting Middle Box, and they had used its "demo" root CA for months or possibly years before I pointed out that this was a grave security risk detailed in the product's own manual. No-one would officially acknowledge my warning, but after a few months it evidently reached someone with the power to change things, and so one morning the CA was silently replaced and a new CA root cert was pushed out to all the Windows clients. This new "root cert" lacked CA:TRUE and had clearly been created by typing whatever seemed intuitively reasonable into all the X.500 series name fields. Certificates presented to end user machines by the Middle Box were now signed by this "CA". Interestingly this was accepted by Windows as a root cert. But not by lots of other systems due to lack of CA:TRUE, and within two days the root was replaced once again, this time using a cert that looked exactly like the one for the original demo CA, including CA:TRUE, and all the name branding from the supplier but with a different key pair. Since this CA was not obviously unsafe, I held my tongue about the other problems with it and counted it as a win for security. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
