I've found several certificate authorities that issue certificates for internal domains, including Comodo, VeriSign, and completessl.com. Adam Barth and I filed a bug on this issue in 2007. These certificates are easy to acquire, but I don't see how they're less secure than HTTP, so we've been advocating that browsers show a broken lock:
https://bugzilla.mozilla.org/show_bug.cgi?id=401317 On Wed, Nov 4, 2009 at 8:34 PM, Paul van Brouwershaven <[email protected]> wrote: > Ian G schreef: >> OK, so it's good to figure out all the facts before we jump to conclusions. > How do you mean? > >> Why does the client want this certificate? What is the use case here? > This client uses .int for an internal domain, but this does not changes the > case. The certificate > should not be issued because the domain has not been registered and could > still be registered by > some else. > >> Does the domain exist "for him" and we just can't see it (I'm thinking >> some internal non-public internet sense here) ? > It's used on a intranet, but this will not say this is a valid certificate. > You can't validate > domain ownership if a domain has not been registered! > >> Or is this an "embarrassment exercise" ? > Believe me it's not! > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
