For the easiest one first: with respect to the GoDaddy disclosure [1 (your #2)], I can't see either certificate being disclosed in the audit report. That definitely sounds like a clear and obvious incorrect disclosure - but perhaps I'm missing something?
With respect to the Sectigo disclosure [2 (your #1)], this is a bit trickier. That's because Sectigo's audit [3] does include the relevant certificates, as does Management's Assertion. Similarly, Web.com's / Network Solutions audit [4] and Management's Assertion similarly contain the relevant certificates. The former audit was conducted by E&Y New York, the latter audit conducted by E&Y Tampa. You can note a number of similarities in the audit reports (and have existed for some time), such as Web.com's audits listing all the same locations as Sectigo's. I believe that this is because Sectigo has been running "white label" services for Network Solutions / Web.com, in which Sectigo performs the management and maintenance, but Web.com obtains an independent audit bearing their own name. While rare for the CA space, this is not terribly unique in the compliance space - for example, you will find many products on the NIST CMVP list that use OpenSSL's FIPS module under the hood, but branded with their own corporate information and accompanying security policy. In theory, this is 'valid'. Sectigo's auditors would examine all of the systems and controls, ensuring that they're consistent with Sectigo's CP/CPS and the relevant requirements, and issue an opinion. Web.com's auditors would similarly examine all of the systems and controls (e.g. inspecting Sectigo's facilities and employees/controls), and ensure that they're consistent with Web.com's CP/CPS and the relevant requirements. Provided that Sectigo allows Web.com's auditors access to their facilities (and vice-versa), it is possible to issue audits and opinions in this way, assuming that the CP/CPS of both organizations are harmonized. They don't even have to use the same auditors. Whether this is good or advisable, from a policy perspective, I'm not sure. It does highlight some of the issues we've long talked about due to an overreliance on audits and their presumed objectivity, and highlights the importance of careful examination. The past discussions on m.d.s.p., when audits were first introduced as a requirement. Ian Grigg's work in the context of CACert, the community CA, and in trying to develop and define an audit methodology [5], highlighted the role of audits examining a CA's CP/CPS. This approach was similarly highlighted by the ABA's PKI Assessment Guidelines, which deeply influenced what WebTrust (and its predecessor) became and evolved into. Thus, in order to understand whether or not Sectigo and Web.com's disclosures represent a bug, we'd need to better understand from them, and their auditors, the relationship between these two organizations, as well as what independent steps each group of auditor took, in order to examine who has operational and issuance control, and how those policies were evaluated. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1567061 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1567060 [3] https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=231163 [4] https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=230862 [5] https://iang.org/papers/open_audit_lisa.html [6] https://www.americanbar.org/content/dam/aba/events/science_technology/2013/pki_guidelines.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
