The CA/Browser Forum recently published Baseline Requirements for CAs
issuing SSL. Major software vendors have announced that they will
integrate the standard into their distribution programmes for all
trusted CA roots.
Section 9.2.1 of the Baseline Requirements deprecates the use of
“non-unique names” in publicly-trusted SSL. There are growing concerns
that this practice may create vulnerabilities which allow attackers to
perform "man in the middle" attacks and eavesdrop on secure connections.
As a result, trusted CAs must phase out the use of internal server names
and reserved IP addresses in the Subject commonName field or
SubjectAlternativeName extension of trusted SSL according to the
following schedule:
To limit their risk, we recommend that customers begin using Fully
Qualified Domain Names to access internal resources and stop using
certificates containing internal server names and private IP addresses
as soon as possible.
QuoVadis will provide transition information for affected users of Trust/Link Enterprise.
Definitions:
Fully-Qualified Domain Name:
A registered Domain Name that includes the labels of all superior nodes
in the Internet Domain Name System (DNS). For example:
example.quovadisglobal.com. NOTE: this means you must use a
registered domain name but does not mean that domain must be reachable
from the public Internet.
Internal Server Name: A
Server Name (which may or may not include an unregistered Domain Name)
that is not resolvable using the public DNS. For example: mail,
exchange, exch01, example.local, or localhost.
Reserved IP Address: An IPv4 or IPv6 address that the IANA has marked as reserved:
Further Information:
QuoVadis Deprecated Certificate Guidance for internal hostnames and private IP addresses
http://cabforum.org/Baseline_Requirements_V1.pdf
https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory
