Closed Bug 1567060 Opened 6 years ago Closed 6 years ago

Sectigo / Web.com: inconsistent disclosure of externally-operated intermediate

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: agwa-bugs, Assigned: Robin.Alden)

References

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: wthayer → Robin.Alden
Whiteboard: [ca-compliance]

(In reply to Andrew Ayer from comment #0)
Andrew,
Thanks for the report. I acknowledge receipt and we will look to get an answer to you next week.

Blocks: 1563579
Flags: needinfo?(Robin.Alden)

I apologize for the slow response.

We have a response in preparation and I will publish it here as soon as I can. I expect that to be this week, but I will update this ticket no later than September 17th.

As we mentioned in [1], we updated the CCADB records for the cross-certificates we've issued to Web.com so that the Audit and CP/CPS details match what Web.com have disclosed for their self-signed CA.

In order that these issues are more apparent for ourselves and for all other program CAs, Rob added two new buckets to https://crt.sh/mozilla-disclosures:

  • Disclosed, but with Inconsistent Audit details
  • Disclosed, but with Inconsistent CP/CPS details

As Ryan mentioned in [2], both Sectigo and Web.com include this CA in their WebTrust audits.
As he also deduced, this is because Sectigo runs some "white label" services for Web.com. Web.com's auditors rely on our public audit reports and they also rely on the audit work for both organizations (Sectigo and Web.com) having been carried out by the same group (EY). This arrangement between Sectigo and Web.com has existed for 12 years or more.

Although Sectigo do not issue certificates on our own behalf from this CA our WebTrust audits and disclosures would have allowed us to do so and we are technically able to do so. However it is a better expression of the intended purpose of this CA that we show Web.com's CPS in our CCADB entry for this CA so we will continue to do that.

[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12256.html
[2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg12210.html

Flags: needinfo?(Robin.Alden)

It appears that all questions have been answered and remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.