I have received the following email. I don't feel comfortable this sitting in just my inbox. There were many other recipients CCed on this email too. Seems to mainly be targeting active bugzilla members. Please note:
I've done my best to remove names that may be sensitive here. I have no way of asserting if this information is correct, or not. My message here is for the sake of transparency. I do not know who the sender of this email is. > [Name 0] is correct in latest bug post; Digicert is not a trustworthy > organization. Individuals, companies, partners, resellers, and customers > should not rely on or trust them. > > This information is widely known within the industry; ask anyone. current and > former employees, partners, and customers are aware of these issues. > > The original CNAME incident affected millions of certificates, not just tens > of thousands. The fix was implemented under [Name 1]'s direction with little > prior notice. A decision was made by [Name 1], [Name 2], and Digicert Legal > to not disclose the mis-issuance of millions of certificates to avoid > potential loss of business and the need for revocations. Digicert advised > their customer to obtain a legal T.R.O. (Temporary Restraining Order) related > to this issue. > > [Name 1]'s resignation was planned; he was transitioned from full-time > employee to contractor immediately afterward, which appeared to be an attempt > to manage the fallout and assign blame. He remained a contractor with a > planned return once the CNAME incident was resolved. > > Employees within Digicert who became aware of the bug and fix raised concerns > and pushed for full disclosure. As a result, some of these employees were > terminated ([Name 3], [Name 4]). > > Any employees who were dismissed should have the legal right to speak freely, > without fear of violating NDAs, provided they do not disclose proprietary or > customer-specific information. They should be able to confirm or deny the > allegations if they choose. Additionally, a representative from Alegeus could > confirm if they initiated or assisted with the TRO. > > Overall, Digicert cannot be trusted. Their pattern of misinformation, denial, > and misdirection has eroded confidence. Their conduct toward the community, > competitors, and internet users is unacceptable and should not continue. > > Will Digicert add public comment? Please note that there is a reply to this message that contains a bit more sensitive/PII information. If we think that this email is actionable, I can follow-up with the reply after sanitizing it as well. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3A452D4D-DA63-4F7D-BCC0-F3AA4206F469%40aaomidi.com.
