[dns-operations] FYI: SAC057 - SSAC Advisory on Internal Name Certificates

[Robert Edmonds]

Livingood, Jason wrote:
> Posted today on the SSAC site @ http://www.icann.org/en/groups/ssac/documents/sac-057-en.pdf.
> 
> Worth reading, especially if you have internal namespace (and associated internally generated SSL certificates) that overlaps with a new gTLD name. From the exec summary & intro:

there is an interesting quote in this document from a CA:

    According QuoVadis Group, a certificate authority, one use case for
    internal name certificate is for convenience:

        As a convenience for users, many servers in corporate networks
        are reachable by local names such as “mail”, “wiki” or “hr”.
        Most publicly trusted certificates for non‐unique names are
        deployed in the context of local networks to enable trust in
        these local names without the additional cost of provisioning a
        new trust root to clients. This may be especially desirable for
        networks lacking centralized policy deployment and management
        tools, such as “Bring Your Own Device” environments.[5]

    5. See QuoVadis Group. 2012. Internal Server Names and IP Address
    Requirements for SSL at: 
    https://support.quovadisglobal.com/AvatarHandler.ashx?radfile=%2fCommon%2fSSL+General+Topics+%28KB%29%2fQV_DeprecatedCertsGuidance_v2.pdf.

i certainly hope the reference to "hr" being a "local" or "internal" or
"non-unique" name is a mistake and that CAs would absolutely refuse to
issue certs for names that are the same as a really existing TLD:

    http://www.iana.org/domains/root/db/hr.html

-- 
Robert Edmonds
edmonds at isc.org