Email I've received regarding Digicert

[Amir Omidi]

I have received the following email. I don't feel comfortable this sitting in just my inbox. There were many other recipients CCed on this email too. Seems to mainly be targeting active bugzilla members. Please note:

1. I've done my best to remove names that may be sensitive here.
2. I have no way of asserting if this information is correct, or not.
3. My message here is for the sake of transparency.
4. I do not know who the sender of this email is.

[Name 0] is correct in latest bug post; Digicert is not a trustworthy organization. Individuals, companies, partners, resellers, and customers should not rely on or trust them.

This information is widely known within the industry; ask anyone. current and former employees, partners, and customers are aware of these issues.

The original CNAME incident affected millions of certificates, not just tens of thousands. The fix was implemented under [Name 1]'s direction with little prior notice. A decision was made by [Name 1], [Name 2], and Digicert Legal to not disclose the mis-issuance of millions of certificates to avoid potential loss of business and the need for revocations. Digicert advised their customer to obtain a legal T.R.O. (Temporary Restraining Order) related to this issue.

[Name 1]'s resignation was planned; he was transitioned from full-time employee to contractor immediately afterward, which appeared to be an attempt to manage the fallout and assign blame. He remained a contractor with a planned return once the CNAME incident was resolved.

Employees within Digicert who became aware of the bug and fix raised concerns and pushed for full disclosure. As a result, some of these employees were terminated ([Name 3], [Name 4]).

Any employees who were dismissed should have the legal right to speak freely, without fear of violating NDAs, provided they do not disclose proprietary or customer-specific information. They should be able to confirm or deny the allegations if they choose. Additionally, a representative from Alegeus could confirm if they initiated or assisted with the TRO.

Overall, Digicert cannot be trusted. Their pattern of misinformation, denial, and misdirection has eroded confidence. Their conduct toward the community, competitors, and internet users is unacceptable and should not continue.

Will Digicert add public comment?

Please note that there is a reply to this message that contains a bit more sensitive/PII information. If we think that this email is actionable, I can follow-up with the reply after sanitizing it as well.

[transp...@digicert.com]

Hi Amir, 

DigiCert has received the related initial inquiry via our Ombudsman program. As outlined in the DigiCert Ombudsman SOP in bug 1950144, comment 55, this case is following the documented next steps. We will continue to provide updates to the submitter within the SLAs specified in the SOP. At this time, we have no further comment outside of the Ombudsman process, in order to preserve said confidentiality, and we thank the community for its patience while we continue to operate the Ombudsman program. 

DigiCert Ombudsman Team 

[Matt Palmer]

On Fri, Jun 13, 2025 at 02:38:23PM -0700, 'Transp...@digicert.com' via dev-secur...@mozilla.org wrote:
> program. As outlined in the DigiCert Ombudsman SOP in bug

> <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>* 1950144
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144>*, comment 55
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1950144#c55>, this case is

> following the documented next steps.

Does anyone else think it slightly odd that the most authoritative
documentation on the existence of this Ombudsperson program and how it
works -- including requirements on those who might wish to avail
themselves of its remedies -- is buried 55 comments down in a Bugzilla
issue? All it needs is a sign saying "Beware of the leopard".

- Matt

[Mike Shaver]

Yeah, I don’t know why DigiCert isn’t advertising this on their site somewhere, if they think it’s really important.

Mike

[Zacharias Björngren]

It’s hard to know how credible the allegations are, at least one of the people taking part has been active on Bugzilla in a very heated manner but their latest comments have been more civil. One of the things that worry me the most is the allegations of NDAs or similar to silence (past) employees because it reminds me of the legal threat sent to Sectigo over Tim Callans comments on Bugzilla. 

While I respect the right of DigiCert to protect business secrets and to protect confidentiality I am worried that they are also preventing people to speak up against misconduct.

Zacharias

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqv2gwfNXJb6UyeuByrx69_Ly0QCLQaLgJw-NYzfKHng3Q%40mail.gmail.com.

[Watson Ladd]

Dear Digicert and other dev sec policy people,

I think this email and the response raises a lot of questions. While I appreciate the need for confidentiality in personnel matters, there are some things they can say they haven't.

Digicert hasn't said that they have an anti retaliation and whistleblower policy or that they will take any action should these allegations be substantiated. I'm glad they have committed to investigating and proving the results to the original complainant.

However what's outlined in comment 55 was a processed aimed at concerns about Digicert's behavior in community. Basically, don't publish our baseless legal threats to bugzilla, come let us reiterate them privately in a way that will let us make more baseless threats if you then disclose. It was not described as, and cannot replace, Digicert's BR obligations to investigate missuance and open bugzilla issues. It also doesn't seem like this process will necessarily be appropriate for these concerns.

Note that if substantiated there would have to be some very serious changes at Digicert for them to remain trustworthy. A lot of issuance behavior is not externally observable and audits can only go so far.

There are some things I'd like to discuss that are broader:

- Should CAs have whistleblower protections and exclude good faith bugzilla disclosures from their NDAs?

- balancing confidentiality and responsibility to root programs when personnel issues are involved

Sincerely,

Watson

--

You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1b6400d3-ca41-451e-8615-e8202d0f84e8n%40mozilla.org.

Astra mortemque praestare gradatim