Open Bug 1950144 Opened 1 month ago Updated 2 days ago

DigiCert: Threat of legal action to stifle Bugzilla discourse

Categories

(CA Program :: CA Certificate Root Program, defect)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: brian.holland, Unassigned)

Details

Attachments

(1 file)

2024-11-11 DigiCert Letter to Sectigo.pdf
250.80 KB, application/pdf
Details

In bug 1910322 comment 74 DigiCert wrote,

“We have not used a legal team as a shield against accountability.”

Contrary to this statement, I received a letter from DigiCert’s lawyers, Wilson Sonsini, regarding posts made by Sectigo’s Chief Compliance Officer in bug 1910322. The upshot of the letter was that DigiCert expected Sectigo to “ensure that Mr. Callan’s statements do not continue and will not be repeated by any other member of Sectigo’s organization.”

I’m Brian Holland, General Counsel for Sectigo, and this is my first time posting on Bugzilla. I’m posting because at Sectigo we believe that the WebPKI is best served by open, transparent, and honest debate about issues that impact our community. Attempts to shut down these conversations, through lawyers or otherwise, are harmful to our collective core mission.

In its opening passages, this letter reads (emphasis mine),

We ask for your prompt cooperation and assistance in taking corrective action and forcing Mr. Callan to cease his disparaging public statements. We hope your assistance in this matter will render unnecessary legal action by DigiCert against Sectigo.

After three pages of detail about specific Bugzilla posts and references to the Lanham Act, deceptive trade practices, corporate disparagement, and tortious interference, the letter (the full letter is included as an attachment to this bug) goes on to say (emphasis mine):

At this point, we are bringing this situation to your attention on behalf of DigiCert because we are hopeful that Mr. Callan’s actions were the actions of one individual and were not part of an organized plan or institutional practice. We also hope that, upon receiving this information, Sectigo will recognize the impropriety of Mr. Callan’s statements and the substantial public, industry, and browser scrutiny and legal risk such statements would prompt if they were to continue. To that end, we expect that Sectigo will investigate this incident promptly and take the appropriate corrective actions, confirm that this situation was not part of an institutional practice, and ensure that Mr. Callan’s statements do not continue and will not be repeated by any other member of Sectigo’s organization. We hope we can resolve this situation as soon as possible before DigiCert is compelled to seek legal action.

On December 10, 2024 I sent this response in email to my contact at Wilson Sonsini:

I have reviewed your letter and the Bugzilla thread referenced therein. In that letter, you suggest that DigiCert has various legal claims against Sectigo and/or its COO [sic], Tim Callan, for what you call “false and misleading statements about DigiCert” made on the Bugzilla forum. We strongly disagree. The statements you point to are questions and/or statements of opinion that are not actionable statements of fact. Moreover, those comments were made with the intent of facilitating discussion and debate about important questions of first impression for our industry. They were made by Tim Callan in good faith, are fully protected by the First Amendment, and cannot, as a matter of law, form the basis for any of the causes of action mentioned in your letter.

As you are aware, the PKI community is a self-regulating group that, as set out in the bylaws of the Certificate Authority Browser Forum, works “closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.” For the community to self-regulate, there needs to be open, uninhibited, and robust discussion and debate about best practices in the industry. Any litigation threats that chill or stifle such debate undermine the self-regulatory system that has worked so well for the industry.

Certificate Authorities post incident reports on Bugzilla to “provide lessons learned and transparency about the steps the CA Owner takes to address the immediate issue and prevent future issues.” As the Common CA Database goes on to state “incident reports help the Web PKI ecosystem as a whole because they promote continuous improvement, information sharing, and highlight opportunities to define and adopt improved practices, policies, and controls” of all parties.

The TRO involved in this incident report, as one Bugzilla commenter noted, is “an unprecedented event in the WebPKI, and . . . if allowed to proliferate, it would potentially be used by subscribers en masse to do an end-run around important technical security controls.”

The PKI Community has never considered how it should respond to TROs and now needs to do so. Understanding the situation faced by your client and why it made certain decisions is important to improving the WebPKI ecosystem. This is why Mr. Callan, and many others, have been asking questions – some of which have been critical questions designed to achieve a consensus as to how best handle situations like this in the future. In any such discussion, there will be differences of opinion, but open, uninhibited, robust, and transparent discussion is essential for the industry to learn how to best move forward.

I hope that your client will, on deeper reflection, realize that as a leader in the PKI Community, it should be driving, rather than stifling, discussion of this topic. Your client’s threat of litigation is, in our view, both misguided and without merit. We will strive to be respectful in our tone, but neither Mr. Callan nor Sectigo will be silenced or prevented from asking critical questions and/or engaging in critical discussion about issues of substantial concern to the public and the industry.

We find the threat of legal action to stifle scrutiny and discussion of public CA practices to be deeply troubling and entirely at odds with the transparent, blameless post-mortem culture that the CCADB incident report guidelines expect CAs to embrace. Even for a company like Sectigo, the threat of a lawsuit from a well-resourced organization like DigiCert is worrisome, regardless of our confidence that Mr. Callan’s speech was proper, legally protected, and in the best interest of the WebPKI. Another party challenging DigiCert’s behavior, faced with this same threat, might choose simply to stop asking uncomfortable questions.

No CA should be allowed to intimidate its critics into silence. This would irreparably damage the integrity and quality of the WebPKI.

I am sharing this incident to bring attention to DigiCert’s actions and allow the community to evaluate this approach. What began as a discussion of the threat posed by certificate subscribers using the legal system to circumvent WebPKI security controls needs, in my opinion, to be broadened.

Component: CA Certificate Compliance → CA Certificate Root Program

DigiCert is committed to the ideals that underpin this forum and the CA community. Interactions between competitors can sometimes be prickly, but we applaud your statement that “the WebPKI is best served by open, transparent, and honest debate about issues that impact our community.” We strive to be consistent with this ideal in our statements and actions.

We find ourselves in the strange position of having to publicly explain a private letter we sent to you and Sectigo last November. Like any private correspondence between individuals, it is difficult for others to have the full context to understand the interaction, particularly if only reading passages excerpted and emphasized to make a particular point. In reality, our letter to you was consistent with our desire to promote open and honest dialogue. We encourage all participants in this forum to read the entire letter and be familiar with the activity in this forum that gave rise to our concerns.

For a debate to be both open and honest, we have to trust that participants in our community have the best interest of the community and industry at heart. No doubt that industry competitors, like Sectigo and DigiCert, are tempted to seek business advantage wherever they can. But we discipline ourselves to set that aside when we come together to discuss issues that matter to our whole industry. We believe you and Sectigo feel the same way as we do about this.

Our reason for sending you this letter was not to chill debate, far from it. We were worried that some, encouraged by the Entrust distrust, may have been abusing the forum by posting misleading information and half-truths in an attempt to negatively sway public opinion and keep bugs open past their useful lifecycle. We are committed to preserving this forum for honest, as well as open, discussion and that it should not be used merely as a means for business competitors to foil each other. This was the reason we sent you and Sectigo the letter.

About a month later, you sent us back the response that you quote in your bug report. We were satisfied with your response. As you know we have not responded further or taken any other action on this matter, despite the ongoing discussion on the relevant bugs. Until you drew this out again we had thought the matter was closed.

In short, we fully agree with you that this community is best served by open discussion. But the discussion must also be honest, factually accurate, and focus on a fair review of important and relevant issues. Think how a business acting in bad faith could abuse this forum to undermine and harm a competitor in the CA industry—raising hearsay, reporting malicious rumors, asking leading and endless questions, etc. If this forum becomes merely a venue for gaining competitive advantage or for shaming our business rivals then it will fail its intended purpose and lose all value. Our aim in sending the letter was simply to defend the integrity of this forum.

Despite the occasional sharpness of business rivalry, we do trust your and Sectigo’s good faith, and above all the public spirit of this forum and its moderators. We hope we can put these concerns behind us and continue monitoring and discussing matters truly of interest to the WebPKI community.

The very first thing I did on seeing this incident was not to read Sectigo's allegations, but the letter that DigiCert wrote. On those facts, as disclosed, it certainly reads poorly that this is consistent to DigiCert's desire to promote open and honest dialogue.

Worryingly, it is a targeted legal threat at a named, singular, employee bolstered by baseless legal arguments. I was particularly amused when the Lanham act was butchered to breaking point to try and imply participation on Bugzilla by your competitors is considered commercial advertising or promotion. Try to lead by example and have your team talk on other incidents publicly, try to see where shortcomings exist in other CAs, and how to push the community as a whole forward.

If we're going to be open, transparent, and honest then we need to acknowledge that in November someone made a terrible call and authorized that letter in the first place. I appreciate that in the timeframe that DigiCert were dealing with the fallout of a TRO impacting their revocation. I would not be surprised if potential scenarios discussed, and were perhaps leapt upon without proper understanding of the repercussions.

It's already an embarrassing letter, but please do everyone a favor and admit some fault here. In the interests of transparency, and with DigiCert highlighting the Entrust distrust, I want to make clear that nothing even close to this was sent from Entrust's side during the past year. Or at least no one who's talked to me has hinted at anything close to it ever existing.

Please consider this internally and try to improve your communications going forward.

I personally see no way to read the full and complete letter as anything other than an intentional and blatant legal threat to discourage further scrutiny of DigiCerts actions, views and interpretations that much of the broader community have understandably held much interest in. Even if we assume, arguendo, that DigiCert did not intend for the letter to come off as a legal threat (which, I'll note, is rather difficult to do), surely they must have understood that it absolutely would be taken as one. I'll just note that an argument premised on DigiCert not following up on the threat does not make it any less of a one, but merely a bad legal threat.

Reading DigiCert's response in comment #1 above makes it even more difficult to assume good faith on the part of the letter: the response vacillates between vaguely reconciliatory language and what read as badly-veiled accusations in a way that just makes it further sounds like the interpretation of the letter as a legal threat is the intended one. As a consequence, there is only one way I am able to interpret the reply in Comment #1: that in DigiCert's view the only problems here are 1) the scrutiny they are under and 2) that Sectigo brought the legal threats to the eyes of the broader community. Especially wrapping up with "We hope we can put these concerns behind us and continue monitoring and discussing matters truly of interest to the WebPKI community." makes it nigh-impossible to read the reply as anything else.

Against this background, DigiCert's statement that “[DigiCert] have not used a legal team as a shield against accountability.” is quite troubling. It either indicates a lack of communication within DigiCert (i.e. the party making said statement did not know of the letter), or alternatively a failure of everyone involved to appreciate that a natural reading of a formal letter by a legal firm, including the phrase "before DigiCert is compelled to seek legal action" is as a legal threat. The most charitable possible interpretation I can come up with -- assuming again, arguendo, that the letter was not meant as a legal threat even if interpreted by one -- is that DigiCert has good intentions, but struggles massively in written communication, not being able to appreciate how negative, hostile and "corporate PR" (i.e. uncandid) what they actually put down on the digital paper comes off to the readers.

I'll mirror Wayne in calling for DigiCert to "do everyone a favor and admit some fault here", as well to "consider this internally and try to improve your communications going forward".

As someone who’s spent a lot of time thinking about how we handle incidents, I’ve been following this discussion closely. I agree with Wayne and JSaares that empathy, humility, and clear communication are vital in moments like this—both for maintaining trust and for pushing our community forward.

It’s tough to see how a letter like the one DigiCert sent could avoid being read as a legal threat, intentional or not, and I think acknowledging that perception (even if it wasn’t the intent) could go a long way toward rebuilding goodwill here.

For what it’s worth, I recently wrote a blog post about incident response best practices, inspired in part by threads like this one. It digs into how we can approach these situations with transparency and a learning mindset—and offers some practical steps for CAs to handle incidents constructively. If folks are interested, it’s posted here: [https://unmitigatedrisk.com/?p=982]

This is obviously a very challenging situation for the WebPKI community to be in. Two influential CAs are at legal odds with each other, on the specific topic of how Web PKI self-governance is performed in one of its primary venues. It's easy to imagine that even the memory of these events will have a chilling effect on discourse here, and prevent some from making valuable contributions. That's a shame, and I think a waste of the effort that has gone into making Bugzilla and incident reports a force for industry improvement and collaboration (which is not always, by any means, industry agreement.)

To state it that way, of course, is perhaps to imply an equality of responsibility for the present situation, which is not at all my intent. DigiCert's letter is either a legal threat intended to have exactly the sort of chilling effect I bemoan above, or it is some of the clumsiest legal writing to ever surface in this industry. In either case, I believe that an apology is owed not only to Sectigo—who I hope will not be deterred from frank comments on incident practices in the future—but indeed to the entire root-Bugzilla and Web PKI community. This is an attack on the norms and values of a diverse community of participants who perform an essential role for the safety and integrity of the web. It is grotesquely disappointing to see it from a participant as storied and experienced as DigiCert, and to see the dancing around "context" and false camaraderie in DigiCert's response here merely adds insult to injury.

If DigiCert is to act responsibly regarding this matter, from this point forward, I think that they would do well to not only apologize, but to produce an incident-style reporting on the organizational failures that led to the original letter and the terrible subsequent response in this bug, as well as the steps that are being taken to keep them from recurring to the detriment of the web. DigiCert, will you commit to this?

I'd also like to thank Sectigo for bringing this conduct to light. In my opinion, it unfortunately reads on DigiCert's credibility as a member of this community, and is important information to have when dealing with them in the future.

Flags: needinfo?(dcbugzillaresponse)

Wayne wrote:

Please consider this internally and try to improve your communications going forward.

JSaares wrote:

I'll mirror Wayne in calling for DigiCert to "do everyone a favor and admit some fault here," as well as to "consider this internally and try to improve your communications going forward."

Mike wrote:

If DigiCert is to act responsibly regarding this matter, from this point forward — snip — is important information to have when dealing with them in the future.

The three of you believe there is a way forward.

Entrust was distrusted for far less.
Symantec was distrusted for far less.

Why would anyone believe DigiCert has a future in public PKI? Even from DigiCert’s poorly written response above, it is clear as day that they fall into the category of CAs that should be distrusted. DigiCert’s actions do not foster trust—double-digit bugs over the past year, numerous delayed revocations without adequate justification, and now this legal letter.

Their responses to community questions have been inadequate, with updates that fail to inspire trust or confidence that they are genuinely addressing root causes. Instead, their replies feel more like legal maneuvering than sincere efforts to fix the issues.

This is not the behavior of a CA that wants to do the right thing and be an upstanding member of the community. Instead, they seem to be using every available lever—including legal tactics—to avoid accountability.

That being said, is the general sentiment of the community that "DigiCert is too big to fail"?

I would like to hear what the browser representatives think about this situation and whether they feel DigiCert genuinly engenders the proper CA trusted by their programs.

The community and public at large is listening...

I definitely did not mean to indicate that I was specifically in favour of DigiCert remaining trusted, or to give any opinion of their conduct in other incidents. Whether or not they remain trusted is up to the root programs, and I think that DigiCert should provide a full accounting of cause and remediation even if distrust is on the table for this or other reasons. Entrust is still finishing up its outstanding incident reports, after all.

One of Mozilla’s core principles is the importance of transparent community-based processes. A healthy certificate ecosystem requires open discussion and debate, as well as robust, constructive and respectful engagement from all sides. Actions that chill participation in these discussions are deeply damaging to our community, whether they take place in private or in public.

Similarly, while discussions can be robust, participants should be careful not to cross the line into aggressive or adversarial behavior. Even when “asking questions”, participants should endeavor to be respectful and fairly characterize other’s views. Constructive collaboration and open dialogue are one of the most effective ways to support and contribute to a healthy and secure certificate ecosystem.

We welcome the continued constructive discussion. If contributing, please be mindful of Mozilla’s Community Participation Guidelines (CPG).

Ben, perhaps you should recuse yourself due to your long history with DigiCert. People are aware of your private conversations with them, and there is a noticeable degree of favoritism in how you handle bug closures.

This was meant to be an open fact based dialogue, not adversarial nor aggressive.

The public has a growing concern how these matters are being handled behind closed doors.

I believe Ben Wilson has been very careful with running the Mozilla Root Program in a fair and impartial manner, so comments like https://bugzilla.mozilla.org/show_bug.cgi?id=1950144#c9 are disrespectful to Ben's work in Mozilla over the last years.

Even in the strictest no-compete contracts, when a person leaves a company, the conflicts of interest are no longer considered valid after 2-3 years.

"Closed doors" are in some cases essential to protect business relations and pursue faster progress. Browsers have been known to discuss with auditors "behind closed doors" and that's for the benefit of the public interest. Browsers have also been know to discuss "behind closed doors" with Regulators and EU officials, in order to get a better position in the interest of Relying Parties. None of that is wrong or problematic.

"The Public" (sic) is very pleased with the balance Browser representatives have exercised historically in this ecosystem, and I can't recall a single moment in time where "The Public" has raised strong concerns about the Browser representative's behavior breaking that balance.

(In reply to J. Bentham from comment #9)

Ben, perhaps you should recuse yourself due to your long history with DigiCert. People are aware of your private conversations with them, and there is a noticeable degree of favoritism in how you handle bug closures.

This was meant to be an open fact based dialogue, not adversarial nor aggressive.

The public has a growing concern how these matters are being handled behind closed doors.

I find it concerning that what feels to me like a reasonable reminder in comment #8 of Mozilla's Community Participation Guidelines (CPG) then receives this response, which I personally feel does not meet those guidelines.

Recusal Suggestion
"Ben, perhaps you should recuse yourself due to your long history with DigiCert."

Suggesting recusal due to a perceived conflict of interest can be seen as a legitimate concern if presented respectfully. However, it should be backed by evidence and not imply wrongdoing without proof.

Accusation of Favoritism
"People are aware of your private conversations with them, and there is a noticeable degree of favoritism in how you handle bug closures."

This statement could be construed as a personal attack, as it accuses Ben of favoritism without providing concrete evidence.

DigiCert voluntarily disclosed the TRO in its incident response. The TRO affected only 1 certificate, which ended up being handled exactly the same way as all the rest. And all the information about the TRO is in the public record. Despite this, our competitor both publicly and privately repeatedly asked our representatives about it, so we wanted to make their management aware of the behavior. We need to take the steps we feel are necessary to protect our business from attack from our competitors and we felt circumstances warranted sending the November 11 letter to Sectigo. As we note above, Sectigo responded and we were satisfied with the response and that was the end of the matter as far as we were concerned. Since there is no allegation of a violation of a compliance requirement here, please close this issue.

Flags: needinfo?(dcbugzillaresponse)

(In reply to DigiCert from comment #12)

DigiCert voluntarily disclosed the TRO in its incident response. The TRO affected only 1 certificate, which ended up being handled exactly the same way as all the rest. And all the information about the TRO is in the public record. Despite this, our competitor both publicly and privately repeatedly asked our representatives about it, so we wanted to make their management aware of the behavior. We need to take the steps we feel are necessary to protect our business from attack from our competitors and we felt circumstances warranted sending the November 11 letter to Sectigo. As we note above, Sectigo responded and we were satisfied with the response and that was the end of the matter as far as we were concerned. Since there is no allegation of a violation of a compliance requirement here, please close this issue.

Will DigiCert be sending more letters to other parties in the future? That a subject makes DigiCert uncomfortable to discuss does not change that there were questions raised and unanswered.

Whoever is making these decisions at DigiCert needs to understand that "our desire to promote open and honest dialogue", should not stop at being asked to explain issues that make the company uncomfortable. Nor, indeed, are incidents as narrowly defined as your CA seems to be misunderstanding. For example from the Chrome Root Program Policy:

The failure of a Chrome Root Program Participant to meet the commitments of this policy is considered an incident, as is any other situation that may impact the CA's integrity, trustworthiness, or compatibility.

Incidents are not just certificate issues, but are broad enough to raise incidents where a CA's integrity, trustworthiness, or compatibility require a discussion, and remediation. Does DigiCert have a different interpretation?

I appreciate the DigiCert have not actually answered any point raised so far, and look forward to them actually answering any questions. Furthermore as Ben has already stated:
(In reply to Ben Wilson from comment #8)

One of Mozilla’s core principles is the importance of transparent community-based processes. A healthy certificate ecosystem requires open discussion and debate, as well as robust, constructive and respectful engagement from all sides. Actions that chill participation in these discussions are deeply damaging to our community, whether they take place in private or in public.

One strange individual aside, we are all trying to figure out a way forward here so please try to involve yourself in this discussion in a positive way. The repeated focus on competitors gives a very unfortunate perception of DigiCert's views on interacting with CAs in this space. I personally am very curious as to what DigiCert's actions would be if a 'competitor' sent a similar letter to a named employee at your company.

The use of a TRO by a subscriber to prevent revocation was unprecedented, and it should not be surprising that any CA and their staff would be very interested in such an incident, and of course any legal precedent it could result in. In the past year there has been numerous delayed revocation incidents and a key lesson learned across many of them has been how manual procedures has prevented prompt action. If the use of the legal system by subscribers to delay or prevent revocation becomes an accepted practice then it undermines not only all the work that has been done to spread automation, the agency of CAs, and the BRs.

Having read through https://bugzilla.mozilla.org/show_bug.cgi?id=1910322 again I want to highlight something that I have not seen addressed by others and that I find worrying. Before the comments that prompted the legal threat, the discussion was about the appropriateness of an individual resigning as the result of an incident, the importance of “blamenessness”, and the negative consequences which this could have in the future.

While Jeremy Rowley states that it was his voluntary choice to resign, I cannot help but connect this with DigiCert making an individual the target of their legal threats.

I take Mr. Rowley on his word that the resignation was voluntary, but DigiCert had a choice in one of their employees posting that the root cause of an incident was them; personally. And they had a choice in that persons resignation being included in the post mortem of a bug. I understand feeling personal responsibility for an incident and wanting to resign, but an organization should understand that the true root cause of an issue is not a specific individual. I hope that the move to non-personal CA accounts on Bugzilla will help in preventing others from “martyring” themselves in the future.

I think it was a mistake by DigiCert to allow blame to be placed on a specific individual (even if it is done by themselves), and I also think it is a mistake to target a specific individual (through their employer) with these legal threats.

While it might not be much to me it is enough to wonder if there is a pattern here and I’m curious if others see the same thing.

When reading comments to the referenced bug I do not think that any of them are disparaging. And I am confident that most share my sentiment because when comments cross the line of what is acceptable on Bugzilla they are called out, as evidenced in the comments on this bug.

We should be able to trust the community and Mozilla to call out and act against unacceptable behavior. Surely Mozilla would act if they believed that a CA was using Bugzilla to disparage their competitors. This is what I believe.

I am troubled that DigiCert has restated in their latest comment that they believe that the legal threats were justified, framed as “protecting themselves from a competitor”. The specificity makes me, personally, feel a little bit safer as an individual contributor (representing no one but myself as a relying party).

We also find ourselves yet again in the situation that has happened quite often in the past year: a CA in disagreement with everyone else on Bugzilla (willing to engage publicly).

I ask that this bug not be closed and instead that DigiCert takes this opportunity build trust with the community by taking responsibility for their mistakes and learning from them.

Do we have a timeline for when the preliminary incident report will be posted?

I'm not sure that this is your typical incident. We moved this bug from the CA Compliance to the CA Certificate Root Program component. Let's discuss this further before making any decisions in that regard.

As explained in Comments 1 and 12, we believed it was appropriate to address statements from a competitor that we considered misleading about our company, by sending the letter attached to this bug report. However, we also understand and empathize with the comments that expressed concerns that these types of letters could have the effect of chilling open discussion in this forum. We were surprised Sectigo shared this letter as the legal team had thought the issue resolved. Our first response was to explain our reasons for sending the letter. On reflection, we acknowledge that the letter was not in the best interest of transparency and this community. The Mozilla forum has a code of conduct policy, which would have been a much better avenue for dealing with any perceived unfairness.

Open discussion is very important to DigiCert and the industry standards team. We regret sending the letter. We would not have sent a letter like this to just any member of this forum. The letter was sent in the normal course of business from one large company to a comparably large competitor who has similarly sophisticated legal resources. Even in this context, sending the letter was not a good idea, and if we could go back to November, we would not send this letter again. We are committed to open discussion with the community to resolve concerns, even when the community members are competitors. Going forward, we will limit ourselves to the Community Participation Guidelines rather than external legal process for questions of abuse of the forum. We take responsibility for what we admit was a mistake.

I appreciate that DigiCert were willing to acknowledge that a mistake has been made. However I'm still missing answers to a question posed over 7 days ago in Comment 13:

Whoever is making these decisions at DigiCert needs to understand that "our desire to promote open and honest dialogue", should not stop at being asked to explain issues that make the company uncomfortable. Nor, indeed, are incidents as narrowly defined as your CA seems to be misunderstanding. For example from the Chrome Root Program Policy:

The failure of a Chrome Root Program Participant to meet the commitments of this policy is considered an incident, as is any other situation that may impact the CA's integrity, trustworthiness, or compatibility.

Incidents are not just certificate issues, but are broad enough to raise incidents where a CA's integrity, trustworthiness, or compatibility require a discussion, and remediation. Does DigiCert have a different interpretation?

I am glad we are now starting on the right steps going forward.

Wayne, we acknowledged that it was a mistake to send the letter, but we don’t believe that it represented a failure to meet the commitments of the root program policies or that this represents an incident.

DigiCert has no additional comments on this matter. Can we consider this resolved?

I do not think this can be 'resolved' yet - Wayne provided clear proof from The Chrome Root Program Policy that this is really an incident. Digicerts integrity and 'trustworthiness' is under question in this place.

I would hope some reprezentative from Chrome could comment here, and this Bugzilla should stay open until we have comment from them if it is Chrome considering incident or it is not.

Flags: needinfo?(chrome-root-program)

We believe continuing this discussion in this bug provides an opportunity for DigiCert to directly address the community's interests and demonstrate its commitment to consistently upholding the standards we must consider essential for publicly-trusted CA Owners.

To be clear, behavior that intimidates, discourages, or otherwise undermines a member's good-faith participation in this community is at odds with the core values of the Web PKI ecosystem, unacceptable, and detrimental to the ecosystem's best interests.

The community's feedback demonstrates that there's a strong desire to understand DigiCert's efforts in rebuilding trust and restoring goodwill following the activities detailed in this bug. We believe that this discussion, not a separate incident report, is the most effective way to achieve these goals.

We appreciate DigiCert's acknowledgment that their past behavior fell short of their standards. However, the acknowledgment does not foreclose further discussion, and we need a clear path forward to ensure such behavior is not repeated by any member of the community.

Flags: needinfo?(chrome-root-program)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: