Closed Bug 1567061 Opened 2 years ago Closed 2 years ago

GoDaddy: inconsistent disclosure of externally-operated intermediate


(NSS :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: agwa-bugs, Assigned: jfox)


(Whiteboard: [ca-compliance])

GoDaddy has disclosed the following intermediates as being operated under the same CP/CPS as parent:

However, the same subject + SPKI is found in this Amazon Trust Services root certificate, which has a different CP/CPS:

Ever confirmed: true
Assignee: wthayer → jfox
Whiteboard: [ca-compliance]

GoDaddy acknowledges the inquiry. We will work to have a response to the community by EOD, July 26th.

These certificates were issued by GoDaddy as cross-certificates, and were signed by root certificates controlled by GoDaddy. In 2015 Amazon Trust Services acquired the root certificate from GoDaddy and it is now operated under Amazon’s CP/CPS.

Joanna: Thanks for that explanation. However, I believe that's the point of concern/confusion; GoDaddy has disclosed both and and bound to the same CP/CPS as GoDaddy, and covered by GoDaddy's audit.

Both certificates are clearly not part of GoDaddy's audit, based on Appendix A, and based on Comment #2, also not bound by GoDaddy's CP/CPS anymore.

In terms of incident reporting, it seems that we're in agreement that GoDaddy should have disclosed both cross-certificates as under Amazon's audit and Amazon's CP/CPS, which GoDaddy is responsible for maintaining in CCADB for these two cross-certificates.

Have I misunderstood the report or the facts? If not, it would be good to file an incident report, on this bug, as to why GoDaddy disclosed this as "Audit same as parent" and "CP/CPS Same as parent", despite having transitioned control to Amazon. Similar to other CAs, it would be good to go through every disclosure by GoDaddy in CCADB and ensure it is correct, associated with the correct audit and CP/CPS, and report back any further corrections.

Flags: needinfo?(jfox)
Summary: GoDaddy / Amazon Trust Services: inconsistent disclosure of externally-operated intermediate → GoDaddy: inconsistent disclosure of externally-operated intermediate

It has been a week since GoDaddy's last response. Therefore, per Mozilla's incident response guidelines, GoDaddy needs to provide an update today explaining their progress in correcting this issue.

I believe there has been a misunderstanding of the information and I'll do my best to clear it up. The cross-certificates [1][2] were issued by a GoDaddy root [3] that is still bound to the GoDaddy CP/CPS and CCADB. The root certificate [4] was transferred to Amazon Trust Services at a later date. That is why the we have the cross-certificates [1][2] listed under our CP/CPS and CCADB while the root [4] is under Amazon's CP/CPS.


We do agree that we should include these cross-certificates within Appendix A of our audit reports, and with the recommendation to audit CCADB to ensure all information is correct. We are currently working with our auditors on both efforts to make the necessary updates as soon as possible. However, our first priority is the work required for this investigation to best ensure we can avoid any additional issues in the future. We will provide a timeline of resolution of these items as soon as possible.

As always, we thank the community for bringing this to our attention and giving us the opportunity to address this appropriately.

Flags: needinfo?(jfox)

We have submitted our updated audit reports for review, see Bug 1572234 for more information regarding our cross certificate disclosures.

I see that the GoDaddy audit reports now include these certificates, so from an audit perspective I view this issue as having been resolved.

Mozilla policy is unclear on the proper CP/CPS disclosure in CCADB for cross-certificates, as discussed on m.d.s.p., so I consider this incident to be resolved. I have filed a CCADB issue to track future clarification of these requirements.

Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.