Company Foo was a GlobalSign "test" account which we set up to verify proper 
issuance.

> -----Original Message-----
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Monday, February 13, 2017 8:57 AM
> To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Suspicious test.com Cert Issued By GlobalSign
> 
> On 13/02/17 14:34, Doug Beattie wrote:
> > This was for  GlobalSign account used for testing, so it was a
> > GlobalSIgn employee.  Customers are not, nor have they ever been,
> > permitted to add domains without GlobalSign enforcing the domain
> > verification process.
> 
> OK, then I'm a bit confused. You say this was a "managed service account";
> does such an account belong to a customer? If so, let's call them company Foo.
> 
> > 9/11/2015 11:41:20 - test.com added as a prevetted domains
> 
> i.e. a GlobalSign employee added test.com to the account of company Foo.
> 
> > 9/11/2015 11:50 - Order received by CA
> 
> i.e. Company Foo places an order for a test.com cert. (You say "received", so 
> it
> didn't come from internally?)
> 
> How did Company Foo know it was OK to order such a cert? And why would
> they do so?
> 
> Gerv
> 
> 

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to