Hi Nick, Yes, we have controls in place that trigger domain re-vetting in accounts prior to the max allowed by the BRs to assure that domains are not used beyond the 13/39 month limits.
Doug > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Nick > Lamb > Sent: Wednesday, February 1, 2017 5:13 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Suspicious test.com Cert Issued By GlobalSign > > Thank you for undertaking this investigation Doug and for sharing what you > found. I am glad to hear that GlobalSign had taken action to make similar > issuances less likely in the future even before Andrew reported this. > > In hindsight probably it would have been helpful to suggest to all members of > Mozilla's root programme that they consider whether they needed one or more > such "test domains" as the rules on DNS name validation have gradually > tightened. > > The existence of lists of "prevetted domains" for managed service accounts > doubtless streamlines things considerably for valuable large corporate > customers, but it does open up some additional vulnerability compared to a > simpler model in which everything is vetted each time. I hope GlobalSign has > policies in place to mitigate that vulnerability. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy