On Friday, 24 March 2017 10:11:36 UTC, Gervase Markham wrote:
> I spoke about this with Doug at the CAB Forum meeting. The system which
> collects the data is not integrated with the system to which the domains
> are added. The validation specialist concerned, contrary to policy
> ("it's just a
On 17/03/17 16:28, douglas.beat...@gmail.com wrote:
>> If the addition is so gated, what did the employee in this case do? Did
>> they upload bogus data?
>
> No bogus data was uploaded.
I spoke about this with Doug at the CAB Forum meeting. The system which
collects the data is not integrated
> > > If the addition is so gated, what did the employee in this case do? Did
> > > they upload bogus data?
> >
> > No bogus data was uploaded.
> >
> > Doug
>
> The suspense is killing... What "non bogus" data was uploaded then? Can't
> have been any "plausible vetting data" can it?
I'm also
On Friday, 17 March 2017 17:28:12 UTC+1, douglas...@gmail.com wrote:
> On Friday, March 17, 2017 at 5:37:38 AM UTC-4, Gervase Markham wrote:
> > On 16/03/17 17:20, douglas beattie wrote:
> > > Yes, RAs (trusted role employees) need to have the technical ability
> > > to manually add domains to
On Friday, March 17, 2017 at 5:37:38 AM UTC-4, Gervase Markham wrote:
> On 16/03/17 17:20, douglas beattie wrote:
> > Yes, RAs (trusted role employees) need to have the technical ability
> > to manually add domains to accounts. They can verify domains in one
> > of the 10 different methods and
On 16/03/17 17:20, douglas.beat...@gmail.com wrote:
> Yes, RAs (trusted role employees) need to have the technical ability
> to manually add domains to accounts. They can verify domains in one
> of the 10 different methods and some of those involve manually
> looking in who-is for registrant
>Back in 2015, there were some GlobalSign testing in which users thought it was
>acceptable to use domains like test.com and example.com for testing purposes.
>Since this time, GlobalSign has implemented procedures to avoid any similar
>situations in the future.
Does it mean that
>Back in 2015, there were some GlobalSign testing in which users thought it was
>acceptable to use domains like test.com and example.com for testing purposes.
>Since this time, GlobalSign has implemented procedures to avoid any similar
>situations in the future.
Does it mean that
On 16/03/17 11:25, douglas.beat...@gmail.com wrote:
> For the record, we don't think it's necessary (or permissible) to
> give employees (RAs) the power to add arbitrary domains to accounts
> without proper vetting.
I guess I'm still not being clear - sorry :-( Let me try one more time:
Why does
On Thursday, March 16, 2017 at 6:59:41 AM UTC-4, Gervase Markham wrote:
> Hi Doug,
>
> On 03/03/17 11:17, Gervase Markham wrote:
> > That's lovely, but it doesn't answer my question. Let me restate it: why
> > does GlobalSign believe it is necessary to give employees the power to
> > add
Hi Doug,
On 03/03/17 11:17, Gervase Markham wrote:
> That's lovely, but it doesn't answer my question. Let me restate it: why
> does GlobalSign believe it is necessary to give employees the power to
> add arbitrary domains to accounts without going through ownership
> validation?
You are getting
Hi Doug,
On 28/02/17 12:44, douglas.beat...@gmail.com wrote:
> Sorry, I missed the last request. As outlined above, this domain was
> added to this account for only a very short period of time and then
> it was removed, so it's no longer being used. Further, we've
> educated the groups involved
On Monday, February 27, 2017 at 11:04:53 AM UTC-5, Gervase Markham wrote:
> Hi Doug,
>
> On 15/02/17 17:09, Gervase Markham wrote:
> > But currently GlobalSign employees still are?
> >
> > If so, can you help us understand why that's necessary? Given that you
> > control the domains used for
Hi Doug,
On 15/02/17 17:09, Gervase Markham wrote:
> But currently GlobalSign employees still are?
>
> If so, can you help us understand why that's necessary? Given that you
> control the domains used for testing, you should be able to set them up
> to auto-pass some form of automated
On 13/02/17 14:34, Doug Beattie wrote:
> This was for GlobalSign account used for testing, so it was a
> GlobalSIgn employee. Customers are not, nor have they ever been,
> permitted to add domains without GlobalSign enforcing the domain
> verification process.
But currently GlobalSign employees
mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Suspicious test.com Cert Issued By GlobalSign
>
> On 13/02/17 14:34, Doug Beattie wrote:
> > This was for GlobalSign account used for testing, so it was a
> > GlobalSIgn employee. Customers are not, nor have they ever b
On 13/02/17 14:34, Doug Beattie wrote:
> This was for GlobalSign account used for testing, so it was a
> GlobalSIgn employee. Customers are not, nor have they ever been,
> permitted to add domains without GlobalSign enforcing the domain
> verification process.
OK, then I'm a bit confused. You
On 01/02/17 19:47, Doug Beattie wrote:
> 9/11/2015 11:41:20 - test.com added as a prevetted domains
Who added this - a customer, or a GlobalSign employee?
Were customers permitted to add domains to the prevetted list in their
enterprise accounts without GlobalSign confirming that they actually
Thank you for undertaking this investigation Doug and for sharing what you
found. I am glad to hear that GlobalSign had taken action to make similar
issuances less likely in the future even before Andrew reported this.
In hindsight probably it would have been helpful to suggest to all members
ounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Gervase
> Markham
> Sent: Thursday, January 26, 2017 4:20 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Suspicious test.com Cert Issued By GlobalSign
>
> On 25/01/17 17:36, Andrew Ayer w
On 25/01/17 17:36, Andrew Ayer wrote:
> I found another certificate for www.test.com that I believe was
> mis-issued by GlobalSign:
>
>
> https://crt.sh/?sha256=9d503e7c6c4fb6e6d7436c07ff445b95214871ea13ac1cb3b0d7abbce9be6cfb
Yes, that looks mis-issued. I realise this was some time ago
21 matches
Mail list logo
