https://bugzilla.mozilla.org/show_bug.cgi?id=1950144 [moz] * Mozilla Home * * Privacy * Cookies * Legal Bugzilla [ ] Quick Search Tips Advanced Search * Browse * Advanced Search * New Bug * Reports * * Documentation * Log In Log In with GitHub or [ ] [ ] [password ] [*] Remember me [Log In] Create an Account * Forgot Password [ ] [Reset Password] * Browse * Advanced Search * New Bug * Reports * * Documentation Please enable JavaScript in your browser to use all the features on this site. Copy Summary V * Markdown * Markdown (bug number) * Plain Text * HTML [ ] View V * Reset Sections * Expand All Sections * Collapse All Sections * * History * * JSON * XML Open Bug 1950144 Opened 1 day ago Updated 1 hour ago DigiCert: Threat of legal action to stifle Bugzilla discourse * Summary: DigiCert: Threat of legal action to stifle Bugzilla discourse Categories (CA Program :: CA Certificate Root Program, defect) Product: CA Program V CA Program Issues related to the Certificate Authority Program See Open Bugs in This Product File New Bug in This Product Watch This Product Component: CA Certificate Root Program V CA Program :: CA Certificate Root Program For Certificate Authorities to file requests asking for their certificates to be included in the default certificate store. See Open Bugs in This Component Recently Fixed Bugs in This Component File New Bug in This Component Watch This Component Version: unspecified Platform: Unspecified Unspecified Type: defect Priority: Not set Severity: -- Tracking (Not tracked) Status: UNCONFIRMED Status: UNCONFIRMED --- Mark as Assigned Milestone: --- Project Flags: Accessibility Severity [---] Tracking Flags: Tracking Status relnote-firefox [---] firefox-esr115 [---] [---] firefox-esr128 [---] [---] firefox135 [---] [---] firefox136 [---] [---] firefox137 [---] [---] People (Reporter: brian.holland, Unassigned) Assignee: Unassigned Assignee: [ ] Reset Assignee to default Mentors: --- QA Contact: [ ] Reset QA Contact to default Reporter: # brian.holland Triage Owner: # bwilson CC: 34 people References Depends on: --- Blocks: --- Regressions: --- Regressed by: --- URL: See Also: --- Details Alias: --- Keywords: --- Whiteboard: --- Change Request: --- Bug Flags: behind-pref [] sec-bounty [ ] sec-bounty-hof [] in-qa-testsuite [] [ ] in-testsuite [] qe-verify [] Crash Data Signature: None Security (public) This bug is publicly visible. User Story Attachments (1 file) 2024-11-11 DigiCert Letter to Sectigo.pdf 1 day ago Details Brian Holland 250.80 KB, application/pdf Bottom | Tags V * Reset Timeline V * Reset * * Collapse All * Expand All * Comments Only Brian Holland Reporter [7d9] Description * 1 day ago Attached file 2024-11-11 DigiCert Letter to Sectigo.pdf -- Details In bug 1910322 comment 74 DigiCert wrote, "We have not used a legal team as a shield against accountability." Contrary to this statement, I received a letter from DigiCert's lawyers, Wilson Sonsini, regarding posts made by Sectigo's Chief Compliance Officer in bug 1910322. The upshot of the letter was that DigiCert expected Sectigo to "ensure that Mr. Callan's statements do not continue and will not be repeated by any other member of Sectigo's organization." I'm Brian Holland, General Counsel for Sectigo, and this is my first time posting on Bugzilla. I'm posting because at Sectigo we believe that the WebPKI is best served by open, transparent, and honest debate about issues that impact our community. Attempts to shut down these conversations, through lawyers or otherwise, are harmful to our collective core mission. In its opening passages, this letter reads (emphasis mine), We ask for your prompt cooperation and assistance in taking corrective action and forcing Mr. Callan to cease his disparaging public statements. We hope your assistance in this matter will render unnecessary legal action by DigiCert against Sectigo. After three pages of detail about specific Bugzilla posts and references to the Lanham Act, deceptive trade practices, corporate disparagement, and tortious interference, the letter (the full letter is included as an attachment to this bug) goes on to say (emphasis mine): At this point, we are bringing this situation to your attention on behalf of DigiCert because we are hopeful that Mr. Callan's actions were the actions of one individual and were not part of an organized plan or institutional practice. We also hope that, upon receiving this information, Sectigo will recognize the impropriety of Mr. Callan's statements and the substantial public, industry, and browser scrutiny and legal risk such statements would prompt if they were to continue. To that end, we expect that Sectigo will investigate this incident promptly and take the appropriate corrective actions, confirm that this situation was not part of an institutional practice, and ensure that Mr. Callan's statements do not continue and will not be repeated by any other member of Sectigo's organization. We hope we can resolve this situation as soon as possible before DigiCert is compelled to seek legal action. On December 10, 2024 I sent this response in email to my contact at Wilson Sonsini: I have reviewed your letter and the Bugzilla thread referenced therein. In that letter, you suggest that DigiCert has various legal claims against Sectigo and/or its COO [sic], Tim Callan, for what you call "false and misleading statements about DigiCert" made on the Bugzilla forum. We strongly disagree. The statements you point to are questions and/or statements of opinion that are not actionable statements of fact. Moreover, those comments were made with the intent of facilitating discussion and debate about important questions of first impression for our industry. They were made by Tim Callan in good faith, are fully protected by the First Amendment, and cannot, as a matter of law, form the basis for any of the causes of action mentioned in your letter. As you are aware, the PKI community is a self-regulating group that, as set out in the bylaws of the Certificate Authority Browser Forum, works "closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users." For the community to self-regulate, there needs to be open, uninhibited, and robust discussion and debate about best practices in the industry. Any litigation threats that chill or stifle such debate undermine the self-regulatory system that has worked so well for the industry. Certificate Authorities post incident reports on Bugzilla to "provide lessons learned and transparency about the steps the CA Owner takes to address the immediate issue and prevent future issues." As the Common CA Database goes on to state "incident reports help the Web PKI ecosystem as a whole because they promote continuous improvement, information sharing, and highlight opportunities to define and adopt improved practices, policies, and controls" of all parties. The TRO involved in this incident report, as one Bugzilla commenter noted, is "an unprecedented event in the WebPKI, and . . . if allowed to proliferate, it would potentially be used by subscribers en masse to do an end-run around important technical security controls." The PKI Community has never considered how it should respond to TROs and now needs to do so. Understanding the situation faced by your client and why it made certain decisions is important to improving the WebPKI ecosystem. This is why Mr. Callan, and many others, have been asking questions - some of which have been critical questions designed to achieve a consensus as to how best handle situations like this in the future. In any such discussion, there will be differences of opinion, but open, uninhibited, robust, and transparent discussion is essential for the industry to learn how to best move forward. I hope that your client will, on deeper reflection, realize that as a leader in the PKI Community, it should be driving, rather than stifling, discussion of this topic. Your client's threat of litigation is, in our view, both misguided and without merit. We will strive to be respectful in our tone, but neither Mr. Callan nor Sectigo will be silenced or prevented from asking critical questions and/or engaging in critical discussion about issues of substantial concern to the public and the industry. We find the threat of legal action to stifle scrutiny and discussion of public CA practices to be deeply troubling and entirely at odds with the transparent, blameless post-mortem culture that the CCADB incident report guidelines expect CAs to embrace. Even for a company like Sectigo, the threat of a lawsuit from a well-resourced organization like DigiCert is worrisome, regardless of our confidence that Mr. Callan's speech was proper, legally protected, and in the best interest of the WebPKI. Another party challenging DigiCert's behavior, faced with this same threat, might choose simply to stop asking uncomfortable questions. No CA should be allowed to intimidate its critics into silence. This would irreparably damage the integrity and quality of the WebPKI. I am sharing this incident to bring attention to DigiCert's actions and allow the community to evaluate this approach. What began as a discussion of the threat posed by certificate subscribers using the legal system to circumvent WebPKI security controls needs, in my opinion, to be broadened. 0 0 0 0 0 [?] 15 Daniel Veditz [:dveditz] Updated [da6] * 1 day ago Component: CA Certificate Compliance - CA Certificate Root Program DigiCert Comment 1 [669] * 2 hours ago DigiCert is committed to the ideals that underpin this forum and the CA community. Interactions between competitors can sometimes be prickly, but we applaud your statement that "the WebPKI is best served by open, transparent, and honest debate about issues that impact our community." We strive to be consistent with this ideal in our statements and actions. We find ourselves in the strange position of having to publicly explain a private letter we sent to you and Sectigo last November. Like any private correspondence between individuals, it is difficult for others to have the full context to understand the interaction, particularly if only reading passages excerpted and emphasized to make a particular point. In reality, our letter to you was consistent with our desire to promote open and honest dialogue. We encourage all participants in this forum to read the entire letter and be familiar with the activity in this forum that gave rise to our concerns. For a debate to be both open and honest, we have to trust that participants in our community have the best interest of the community and industry at heart. No doubt that industry competitors, like Sectigo and DigiCert, are tempted to seek business advantage wherever they can. But we discipline ourselves to set that aside when we come together to discuss issues that matter to our whole industry. We believe you and Sectigo feel the same way as we do about this. Our reason for sending you this letter was not to chill debate, far from it. We were worried that some, encouraged by the Entrust distrust, may have been abusing the forum by posting misleading information and half-truths in an attempt to negatively sway public opinion and keep bugs open past their useful lifecycle. We are committed to preserving this forum for honest, as well as open, discussion and that it should not be used merely as a means for business competitors to foil each other. This was the reason we sent you and Sectigo the letter. About a month later, you sent us back the response that you quote in your bug report. We were satisfied with your response. As you know we have not responded further or taken any other action on this matter, despite the ongoing discussion on the relevant bugs. Until you drew this out again we had thought the matter was closed. In short, we fully agree with you that this community is best served by open discussion. But the discussion must also be honest, factually accurate, and focus on a fair review of important and relevant issues. Think how a business acting in bad faith could abuse this forum to undermine and harm a competitor in the CA industry--raising hearsay, reporting malicious rumors, asking leading and endless questions, etc. If this forum becomes merely a venue for gaining competitive advantage or for shaming our business rivals then it will fail its intended purpose and lose all value. Our aim in sending the letter was simply to defend the integrity of this forum. Despite the occasional sharpness of business rivalry, we do trust your and Sectigo's good faith, and above all the public spirit of this forum and its moderators. We hope we can put these concerns behind us and continue monitoring and discussing matters truly of interest to the WebPKI community. Wayne Comment 2 [2e7] * 1 hour ago The very first thing I did on seeing this incident was not to read Sectigo's allegations, but the letter that DigiCert wrote. On those facts, as disclosed, it certainly reads poorly that this is consistent to DigiCert's desire to promote open and honest dialogue. Worryingly, it is a targeted legal threat at a named, singular, employee bolstered by baseless legal arguments. I was particularly amused when the Lanham act was butchered to breaking point to try and imply participation on Bugzilla by your competitors is considered commercial advertising or promotion. Try to lead by example and have your team talk on other incidents publicly, try to see where shortcomings exist in other CAs, and how to push the community as a whole forward. If we're going to be open, transparent, and honest then we need to acknowledge that in November someone made a terrible call and authorized that letter in the first place. I appreciate that in the timeframe that DigiCert were dealing with the fallout of a TRO impacting their revocation. I would not be surprised if potential scenarios discussed, and were perhaps leapt upon without proper understanding of the repercussions. It's already an embarrassing letter, but please do everyone a favor and admit some fault here. In the interests of transparency, and with DigiCert highlighting the Entrust distrust, I want to make clear that nothing even close to this was sent from Entrust's side during the past year. Or at least no one who's talked to me has hinted at anything close to it ever existing. Please consider this internally and try to improve your communications going forward. You need to log in before you can comment on or make changes to this bug. Top | Attachment Hide Details General Creator: Brian Holland Created: Updated: Size: Description [ ] File Name [ ] Content Type [ ] Raw Diff Splinter Review