Leave Verisign out of it!
I keep reading misinterpretations about the previous blog entry and see Verisign buried under a ton of drivel. Just to make things clear:
- Verisign distributes test certificates for people to try out their service. These certificates are limited to 60 days, delivered without any kind of verification, and clearly labeled as such. People use them mostly to validate that PKI-enabled software like browsers or mail clients can handle them fine.
- These certificates come with all bells and whistles. If you read the fine print, it is clearly indicated that these are intended for test purposes only.
- Many other certificate authorities offer the same kind of service for users to test. The same proof-of-concept could have been realized with any other certificate provider offering test tools, as long as they relate to a root CA trusted by iPhones.
You do not have to believe me: browse any certificate provider web site and look for test certificate generation.
The WTF lies in the fact that an iPhone would accept this kind of toy certificate as a token of proof to authenticate a remote configuration received over the air.
Hope that clarifies things a bit.