Closed Bug 1567060 Opened 2 years ago Closed 2 years ago

Sectigo / inconsistent disclosure of externally-operated intermediate


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: agwa-bugs, Assigned: Robin.Alden)



(Whiteboard: [ca-compliance])

Ever confirmed: true
Assignee: wthayer → Robin.Alden
Whiteboard: [ca-compliance]

(In reply to Andrew Ayer from comment #0)
Thanks for the report. I acknowledge receipt and we will look to get an answer to you next week.

Blocks: 1563579
Flags: needinfo?(Robin.Alden)

I apologize for the slow response.

We have a response in preparation and I will publish it here as soon as I can. I expect that to be this week, but I will update this ticket no later than September 17th.

As we mentioned in [1], we updated the CCADB records for the cross-certificates we've issued to so that the Audit and CP/CPS details match what have disclosed for their self-signed CA.

In order that these issues are more apparent for ourselves and for all other program CAs, Rob added two new buckets to

  • Disclosed, but with Inconsistent Audit details
  • Disclosed, but with Inconsistent CP/CPS details

As Ryan mentioned in [2], both Sectigo and include this CA in their WebTrust audits.
As he also deduced, this is because Sectigo runs some "white label" services for's auditors rely on our public audit reports and they also rely on the audit work for both organizations (Sectigo and having been carried out by the same group (EY). This arrangement between Sectigo and has existed for 12 years or more.

Although Sectigo do not issue certificates on our own behalf from this CA our WebTrust audits and disclosures would have allowed us to do so and we are technically able to do so. However it is a better expression of the intended purpose of this CA that we show's CPS in our CCADB entry for this CA so we will continue to do that.


Flags: needinfo?(Robin.Alden)

It appears that all questions have been answered and remediation is complete.

Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.