Hi Gerv, We've researched the audit events around the certificate:
https://crt.sh/?sha256=9d503e7c6c4fb6e6d7436c07ff445b95214871ea13ac1cb3b0d7abbce9be6cfb The domain test.com was inadvertently used in a certificate request and issuance - here are the audit events for the managed service account: 9/11/2015 11:41:20 - test.com added as a prevetted domains 9/11/2015 11:50 - Order received by CA 9/11/2015 11:51:02 - Certificate issued 9/11/2015 11:52:48 - Certificate revoked 9/11/2015 14:24:03 - test.com removed as a prevetted domain Back in 2015, there were some GlobalSign testing in which users thought it was acceptable to use domains like test.com and example.com for testing purposes. Since this time, GlobalSign has implemented procedures to avoid any similar situations in the future. We've purchased domains like globalsign-demo.com, globalsign-support.com and aeg-test.com for testing purposes The issuance of certificates from production CAs always uses domains which have been properly verified in accordance with the BRs and our vetting policies and the use of "testing" domains is only permitted if the domains are properly vetted in accordance with our CPS. Certainly, the reported misissuance over the past year have highlighted this to all CAs. As part of researching this reported misissuance, we've reviewed all orders and certificates we've issued since this time to test.com and example.com and found several orders in the pending or cancelled state, but none of them were ever issued. We continue to stress the importance of proper testing within our development, QA and production environments to avoid future misissuances. Doug > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Gervase > Markham > Sent: Thursday, January 26, 2017 4:20 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Suspicious test.com Cert Issued By GlobalSign > > On 25/01/17 17:36, Andrew Ayer wrote: > > I found another certificate for www.test.com that I believe was > > mis-issued by GlobalSign: > > > > > > > https://crt.sh/?sha256=9d503e7c6c4fb6e6d7436c07ff445b95214871ea13ac1c > b > > 3b0d7abbce9be6cfb > > Yes, that looks mis-issued. I realise this was some time ago now, but do the > Globalsign reps on the list have any comment? > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
