For the easiest one first: with respect to the GoDaddy disclosure [1 (your
#2)], I can't see either certificate being disclosed in the audit report.
That definitely sounds like a clear and obvious incorrect disclosure - but
perhaps I'm missing something?
With respect to the Sectigo disclosure [2 (your #1)], this is a bit
trickier.
That's because Sectigo's audit [3] does include the relevant certificates,
as does Management's Assertion. Similarly, Web.com's / Network Solutions
audit [4] and Management's Assertion similarly contain the relevant
certificates. The former audit was conducted by E&Y New York, the latter
audit conducted by E&Y Tampa.
You can note a number of similarities in the audit reports (and have
existed for some time), such as Web.com's audits listing all the same
locations as Sectigo's. I believe that this is because Sectigo has been
running "white label" services for Network Solutions / Web.com, in which
Sectigo performs the management and maintenance, but Web.com obtains an
independent audit bearing their own name. While rare for the CA space, this
is not terribly unique in the compliance space - for example, you will find
many products on the NIST CMVP list that use OpenSSL's FIPS module under
the hood, but branded with their own corporate information and accompanying
security policy.
In theory, this is 'valid'. Sectigo's auditors would examine all of the
systems and controls, ensuring that they're consistent with Sectigo's
CP/CPS and the relevant requirements, and issue an opinion. Web.com's
auditors would similarly examine all of the systems and controls (e.g.
inspecting Sectigo's facilities and employees/controls), and ensure that
they're consistent with Web.com's CP/CPS and the relevant requirements.
Provided that Sectigo allows Web.com's auditors access to their facilities
(and vice-versa), it is possible to issue audits and opinions in this way,
assuming that the CP/CPS of both organizations are harmonized. They don't
even have to use the same auditors.
Whether this is good or advisable, from a policy perspective, I'm not sure.
It does highlight some of the issues we've long talked about due to an
overreliance on audits and their presumed objectivity, and highlights the
importance of careful examination. The past discussions on m.d.s.p., when
audits were first introduced as a requirement. Ian Grigg's work in the
context of CACert, the community CA, and in trying to develop and define an
audit methodology [5], highlighted the role of audits examining a CA's
CP/CPS. This approach was similarly highlighted by the ABA's PKI Assessment
Guidelines, which deeply influenced what WebTrust (and its predecessor)
became and evolved into.
Thus, in order to understand whether or not Sectigo and Web.com's
disclosures represent a bug, we'd need to better understand from them, and
their auditors, the relationship between these two organizations, as well
as what independent steps each group of auditor took, in order to examine
who has operational and issuance control, and how those policies were
evaluated.
[1]
https://bugzilla.mozilla.org/show_bug.cgi?id=1567061
[2]
https://bugzilla.mozilla.org/show_bug.cgi?id=1567060
[3]
https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=231163
[4]
https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=230862
[5]
https://iang.org/papers/open_audit_lisa.html
[6]
https://www.americanbar.org/content/dam/aba/events/science_technology/2013/pki_guidelines.pdf