Company Foo was a GlobalSign "test" account which we set up to verify proper issuance.
> -----Original Message----- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Monday, February 13, 2017 8:57 AM > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Suspicious test.com Cert Issued By GlobalSign > > On 13/02/17 14:34, Doug Beattie wrote: > > This was for GlobalSign account used for testing, so it was a > > GlobalSIgn employee. Customers are not, nor have they ever been, > > permitted to add domains without GlobalSign enforcing the domain > > verification process. > > OK, then I'm a bit confused. You say this was a "managed service account"; > does such an account belong to a customer? If so, let's call them company Foo. > > > 9/11/2015 11:41:20 - test.com added as a prevetted domains > > i.e. a GlobalSign employee added test.com to the account of company Foo. > > > 9/11/2015 11:50 - Order received by CA > > i.e. Company Foo places an order for a test.com cert. (You say "received", so > it > didn't come from internally?) > > How did Company Foo know it was OK to order such a cert? And why would > they do so? > > Gerv > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
