Thank you for undertaking this investigation Doug and for sharing what you found. I am glad to hear that GlobalSign had taken action to make similar issuances less likely in the future even before Andrew reported this.
In hindsight probably it would have been helpful to suggest to all members of Mozilla's root programme that they consider whether they needed one or more such "test domains" as the rules on DNS name validation have gradually tightened. The existence of lists of "prevetted domains" for managed service accounts doubtless streamlines things considerably for valuable large corporate customers, but it does open up some additional vulnerability compared to a simpler model in which everything is vetted each time. I hope GlobalSign has policies in place to mitigate that vulnerability. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy