On Tuesday, 18 July 2017 20:29:50 UTC+1, Jeremy Rowley  wrote:
> Some of these certs are really old.  Is there a reason people were using 
> double dot names? Are they all mistakes in the certificate request or is 
> there some logic behind them?

Unless I see good evidence to the contrary I will assume mistakes. The 
personnel with responsibility for obtaining certificates in most organisations 
know very little about this stuff. If you offer them a box where they can type 
www. and it doesn't say "Bzzt, wrong! Try again" they will only find out that 
the resulting certificates are garbage when they try them.

Anecdote: My employer uses a popular brand of SSL-intercepting Middle Box, and 
they had used its "demo" root CA for months or possibly years before I pointed 
out that this was a grave security risk detailed in the product's own manual. 
No-one would officially acknowledge my warning, but after a few months it 
evidently reached someone with the power to change things, and so one morning 
the CA was silently replaced and a new CA root cert was pushed out to all the 
Windows clients. This new "root cert" lacked CA:TRUE and had clearly been 
created by typing whatever seemed intuitively reasonable into all the X.500 
series name fields. Certificates presented to end user machines by the Middle 
Box were now signed by this "CA".

Interestingly this was accepted by Windows as a root cert. But not by lots of 
other systems due to lack of CA:TRUE, and within two days the root was replaced 
once again, this time using a cert that looked exactly like the one for the 
original demo CA, including CA:TRUE, and all the name branding from the 
supplier but with a different key pair. Since this CA was not obviously unsafe, 
I held my tongue about the other problems with it and counted it as a win for 
dev-security-policy mailing list

Reply via email to