The Issuing CA shall ensure that the subject name listed in all certificates has a reasonable association with the
authenticated information of the subscriber.
The hypocrites can't even manage that with their own 'RXC' CA name.
One might gently point out that the SubjectName in that cert is "C=US, O=Cisco Systems, CN=Cisco RXC-R2". Microsoft just seems to have abbreviated it to "RXC-R2".
Maybe as part of a way to secure the connection to their appliances? They could auto issue certs after verifying ownership. Maybe they're gonna give appliances a name off their own DNS <whatever>.mycloud.cisco? Hell maybe they're becoming a real CA and gonna sell trust services.
Dunno how MS's process is, but with Firefox there's a nice application process that's very open and you can see their claims.
Requiring Internet Explorer for switch management sounds like exactly the kind of stupid Cisco might go for.
These days Chrome/chromium uses the system store AFAIK, so at least you can get surprising breakage in your management tool that isn't due to TLS, but rather some kind of IE compatibility hack... ;-)
To have $largeCompany buying their security suite where they can MITM on the proxy/appliance/gw/whatever without generating any alerts on the client side?
If they misused the CA for that, there'd be a lot of backlash (cause it'd be detected). Apps would start blacklisting it. Seems like they'd have a better plan than that.
I don't think it is intended to be undetected. Plenty of large organizations use security appliances that MITM all traffic. Though I'd prefer they do it by pushing their own BigCo certificate to the boxes they own than relying on a cert that exists in all copies of Windows.
They want people to be able to BYOD and not know what's going on. (I'm sure that most employees were informed in some opaque memo, but that only goes so far.) "Our shared network works best with Microsoft phones." Hey, this is a new marketing effort for all those crap Lumias they're trying to unload!
So you're positing that Microsoft is going to intentionally destroy their TLS-CA verification system so any company can compromise any Windows device in the name of BYOD, without explicit action from the user?
As we've been told many times, "it ain't a bug it's a feature". Sure, you and I don't want to tell the DLP guys our bank passwords, but most people already don't care. It's not feasible anymore to just block TLS, and supporting client proxy config is so tedious.
Think about how it'd have to work. By including a "compromised" cert that any company can get use, and that every Windows customer trusts, the CA system would be entirely destroyed. Microsoft wouldn't do that - it makes zero sense. Cisco might have something that having a CA for makes easier, but including a MITM cert in every Windows install is not close to reality.
I'm not so sure. Before the "encryption fad" most traffic would go unencrypted to a Cisco device (router, switch, proxy, vpn concentrator (the inside of the network)) anyway.
As far as I know, The US has almost non-existent privacy laws when it comes to what corporations are allowed to do/demand to do to their employees through contracts wrt. traffic on company equipment.
Forcefully and silently intercepting traffic on employee networks would AFAIK be illegal in most of Europe.
I saw that and was wondering what he was thinking of. I had to double check to make sure the most recent parliament hadn't been up to any shenanigans, but seems like everything is on the up and up politically there. The ISIS situation is scary, but that's a whole other ball of wax.
I think the author might be a bit behind the news on Tunisia, though.