On 13/02/17 14:34, Doug Beattie wrote: > This was for GlobalSign account used for testing, so it was a > GlobalSIgn employee. Customers are not, nor have they ever been, > permitted to add domains without GlobalSign enforcing the domain > verification process.
OK, then I'm a bit confused. You say this was a "managed service account"; does such an account belong to a customer? If so, let's call them company Foo. > 9/11/2015 11:41:20 - test.com added as a prevetted domains i.e. a GlobalSign employee added test.com to the account of company Foo. > 9/11/2015 11:50 - Order received by CA i.e. Company Foo places an order for a test.com cert. (You say "received", so it didn't come from internally?) How did Company Foo know it was OK to order such a cert? And why would they do so? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy