On Thursday, March 16, 2017 at 11:49:44 AM UTC-4, Gervase Markham wrote: > Why does GlobalSign believe it is necessary for employees to have the > technical capability to add arbitrary domains to accounts without going > through ownership validation? > > I mean, clearly they did back in 2015, because that's exactly what > happened. Do they still have the technical capability (ignoring policy > and set procedures for a moment) or not?
Yes, RAs (trusted role employees) need to have the technical ability to manually add domains to accounts. They can verify domains in one of the 10 different methods and some of those involve manually looking in who-is for registrant info, using a DAD or in calling the contact. When one of these is used, we collect the vetting data then the RA can add/approve that domain. > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
