As we mentioned in , we updated the CCADB records for the cross-certificates we've issued to Web.com so that the Audit and CP/CPS details match what Web.com have disclosed for their self-signed CA.
In order that these issues are more apparent for ourselves and for all other program CAs, Rob added two new buckets to https://crt.sh/mozilla-disclosures:
- Disclosed, but with Inconsistent Audit details
- Disclosed, but with Inconsistent CP/CPS details
As Ryan mentioned in , both Sectigo and Web.com include this CA in their WebTrust audits.
As he also deduced, this is because Sectigo runs some "white label" services for Web.com. Web.com's auditors rely on our public audit reports and they also rely on the audit work for both organizations (Sectigo and Web.com) having been carried out by the same group (EY). This arrangement between Sectigo and Web.com has existed for 12 years or more.
Although Sectigo do not issue certificates on our own behalf from this CA our WebTrust audits and disclosures would have allowed us to do so and we are technically able to do so. However it is a better expression of the intended purpose of this CA that we show Web.com's CPS in our CCADB entry for this CA so we will continue to do that.