On Thursday, March 16, 2017 at 6:59:41 AM UTC-4, Gervase Markham wrote: > Hi Doug, > > On 03/03/17 11:17, Gervase Markham wrote: > > That's lovely, but it doesn't answer my question. Let me restate it: why > > does GlobalSign believe it is necessary to give employees the power to > > add arbitrary domains to accounts without going through ownership > > validation? > Hi Gerv,
For the record, we don't think it's necessary (or permissible) to give employees (RAs) the power to add arbitrary domains to accounts without proper vetting. This was a breakdown in the vetting process whereby this "test" domain was added in order to issue a certificate in production. When this was done the cert was revoked and the vetting for the domain was disabled. After this happened back in 2015 all of the RAs were instructed to follow production vetting procedures in production (obviously) and to not bend or break them when doing "testing". _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy