Dear Digicert and other dev sec policy people, I think this email and the response raises a lot of questions. While I appreciate the need for confidentiality in personnel matters, there are some things they can say they haven't.
Digicert hasn't said that they have an anti retaliation and whistleblower policy or that they will take any action should these allegations be substantiated. I'm glad they have committed to investigating and proving the results to the original complainant. However what's outlined in comment 55 was a processed aimed at concerns about Digicert's behavior in community. Basically, don't publish our baseless legal threats to bugzilla, come let us reiterate them privately in a way that will let us make more baseless threats if you then disclose. It was not described as, and cannot replace, Digicert's BR obligations to investigate missuance and open bugzilla issues. It also doesn't seem like this process will necessarily be appropriate for these concerns. Note that if substantiated there would have to be some very serious changes at Digicert for them to remain trustworthy. A lot of issuance behavior is not externally observable and audits can only go so far. There are some things I'd like to discuss that are broader: - Should CAs have whistleblower protections and exclude good faith bugzilla disclosures from their NDAs? - balancing confidentiality and responsibility to root programs when personnel issues are involved Sincerely, Watson On Sat, Jun 14, 2025, 11:58 AM '[email protected]' via [email protected] <[email protected]> wrote: > Hi Amir, > > DigiCert has received the related initial inquiry via our Ombudsman > program. As outlined in the DigiCert Ombudsman SOP in bug > <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>* 1950144 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>*, comment 55 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144#c55>, this case is > following the documented next steps. We will continue to provide updates to > the submitter within the SLAs specified in the SOP. At this time, we have > no further comment outside of the Ombudsman process, in order to preserve > said confidentiality, and we thank the community for its patience while we > continue to operate the Ombudsman program. > DigiCert Ombudsman Team > > On Wednesday, June 11, 2025 at 11:45:35 AM UTC-5 Amir Omidi wrote: > >> I have received the following email. I don't feel comfortable this >> sitting in just my inbox. There were many other recipients CCed on this >> email too. Seems to mainly be targeting active bugzilla members. Please >> note: >> >> >> 1. I've done my best to remove names that may be sensitive here. >> 2. I have no way of asserting if this information is correct, or not. >> 3. My message here is for the sake of transparency. >> 4. I do not know who the sender of this email is. >> >> >> [Name 0] is correct in latest bug post; Digicert is not a trustworthy >> organization. Individuals, companies, partners, resellers, and customers >> should not rely on or trust them. >> >> This information is widely known within the industry; ask anyone. current >> and former employees, partners, and customers are aware of these issues. >> >> The original CNAME incident affected millions of certificates, not just >> tens of thousands. The fix was implemented under [Name 1]'s direction with >> little prior notice. A decision was made by [Name 1], [Name 2], and >> Digicert Legal to not disclose the mis-issuance of millions of certificates >> to avoid potential loss of business and the need for revocations. Digicert >> advised their customer to obtain a legal T.R.O. (Temporary Restraining >> Order) related to this issue. >> >> [Name 1]'s resignation was planned; he was transitioned from full-time >> employee to contractor immediately afterward, which appeared to be an >> attempt to manage the fallout and assign blame. He remained a contractor >> with a planned return once the CNAME incident was resolved. >> >> Employees within Digicert who became aware of the bug and fix raised >> concerns and pushed for full disclosure. As a result, some of these >> employees were terminated ([Name 3], [Name 4]). >> >> Any employees who were dismissed should have the legal right to speak >> freely, without fear of violating NDAs, provided they do not disclose >> proprietary or customer-specific information. They should be able to >> confirm or deny the allegations if they choose. Additionally, a >> representative from Alegeus could confirm if they initiated or assisted >> with the TRO. >> >> Overall, Digicert cannot be trusted. Their pattern of misinformation, >> denial, and misdirection has eroded confidence. Their conduct toward the >> community, competitors, and internet users is unacceptable and should not >> continue. >> >> Will Digicert add public comment? >> >> >> >> Please note that there is a reply to this message that contains a bit >> more sensitive/PII information. If we think that this email is actionable, >> I can follow-up with the reply after sanitizing it as well. >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1b6400d3-ca41-451e-8615-e8202d0f84e8n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1b6400d3-ca41-451e-8615-e8202d0f84e8n%40mozilla.org?utm_medium=email&utm_source=footer> > . > Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0cnLeDhDNju%2B%3DpbyfSZ%2BkfiaGjOJzu7LKAPxydoS84Vv5g%40mail.gmail.com.
