[144385] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases
daemon@ATHENA.MIT.EDU (Heinrich Strauss)
Sat Sep 10 04:47:35 2011
Date: Sat, 10 Sep 2011 10:47:02 +0200
From: Heinrich Strauss <heinrich@hstrauss.co.za>
To: nanog@nanog.org
In-Reply-To: <F8A775A1-63E0-42FE-9C79-D16FEFA32EE8@deman.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2011/09/10 05:06, Michael DeMan wrote:
> Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all.
>
> I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'.
>
Given a private network and the need to monitor it in a private
company[1], we generated a certificate like this for internal use signed
by a company-internal trusted certificate authority.
Also, given the Subject Alternative Name extension, it is quite possible
to generate a "godmode" certificate for gracefully redirecting proxied
HTTPS requests to an "Access Denied" page or even
nefarious-purpose-logging machine.
-H.
[1] http://en.wikipedia.org/wiki/Lawful_interception
