And a common practice. Old Microsoft documentation used to recommend it.
> On Jun 21, 2017, at 12:22 PM, Santhan Raj via dev-security-policy > <[email protected]> wrote: > > On Wednesday, June 21, 2017 at 12:02:51 PM UTC-7, Jonathan Rudenberg wrote: >>> On Jun 21, 2017, at 14:41, urijah--- via dev-security-policy >>> <[email protected]> wrote: >>> >>> Apparently, in at least one case, the certificate was issued directly(!) to >>> localhost by Symantec. >>> >>> https://news.ycombinator.com/item?id=14598262 >>> >>> subject=/C=US/ST=Florida/L=Melbourne/O=AuthenTec/OU=Terms of use at >>> www.verisign.com/rpa (c)05/CN=localhost >>> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at >>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 >>> reply >>> >>> Is this a known incident? >> >> Here is the (since expired) certificate: >> https://crt.sh/?q=07C4AD287B850CAA3DD89656937DB1217067407AA8504A10382A8AD3838D153F > > As bad as it may sound, issuing certs for internal server name from a public > chain was allowed until Oct 2015 (as per BR). > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
