(In reply to Robin Alden from comment #23)
1) CAs in scope
In our previous year’s management assertions we had included the list of all of our publicly trusted issuing CAs as being in scope for all of the sets of WebTrust Criteria on which we receive reports, i.e. we previously had the same list of CAs in each of our WebTrust reports. This year we provided just such a single list shortly after the end of the audit period. We were asked for distinct CA lists for each report.
We produced the lists from the understanding given to us by the audit team which was that they should be broken down by our future Intent to issue.
We appreciate and understand that these management assertions are signed by Sectigo and that we take the responsibility for them, but with the benefit of hindsight we can see that we did not apply an appropriate level of rigour to our examination of that understanding (that they should be broken down by our future Intent) before we applied it to provide the initial lists, and we should have been able to do that as we had in-house expertise that we could and should have consulted, specifically Rob Stradling and his work up to that time on https://crt.sh/mozilla-disclosures.
Of course, the appearance of the arguably somewhat related bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1650910 on intent vs. capability) around the same time increased the significance of this mistake substantially and that is something that we were unaware of when we produced those initial CA lists.
It could be a lack of coffee / too much coffee, but I'm having trouble understanding this. If I'm following correctly, you started off with a complete list, based on capability ("all of our publicly trusted issuing CAs as being in scope"), then reduced that list ("We were asked for distinct CA lists for each report"), then expanded that list ("we realized that our lists... were not as required")
That seems a bit confusing for a sequence, so I suspect I'm probably misunderstanding something.
If I understand the second part, it sounds like the initial population list (i.e. that given to the auditor during the first phase) actually omitted certificates that Sectigo had issued, which the auditors did not detect until Sectigo sent a list on August 19, which the auditors tried to reconcile with the previous data, and discovered on August 27 that Sectigo had omitted certificates from the initial set. Sectigo then sent a corrected set on Sept 1. Is that... roughly correct?
If so, why were Comment #16, Comment #17, and Comment #18 so totally and utterly devoid of substance and details? Did these facts, even if they were preliminary discussions, not merit being disclosed as part of explaining the issues here?
I think it's useful to understand the tragedy of errors, here, but I'd like to reiterate the request in Comment #22 for a proper letter. Comment #23 contains a number of very useful details, so I don't want to overlook that, but it's omitting what was requested, and it's not clear to me why that is. While I certainly want to value transparency, which Comment #23 does seek to provide in better detail than previous comments on this bug, I also want to make sure we're mitigating risk appropriately. In my mind, there's both risk that Sectigo is not being as candid with all of the facts, and the risk of auditor issues, both of which are very relevant for our community.
I'm also wanting to understand more about the root causes about the sequence of audit scoping issues, especially in light of the many conversations regarding CCADB scoping, ALV, and of course, browsers' regular feedback to the Webtrust TF. That there is still confusion in September 2020 suggests deeply problematic issues are still at play here, and we need to identify the factors in order to better resolve them.