← Sectigo cases
Bugzilla #1972547
Technical Compliance
Sectigo: Lack of technical controls for multiparty control access to Secure Zone
RESOLVED
FIXED
Sectigo
AI Summary
During a WebTrust audit, it was discovered that a CA Administrator could have sole physical access to a Secure Zone, which contradicted the intent of Sectigo's Certificate Policy (CP). The CP language indicated a need for technical enforcement of access controls, which was not in place. Although the incident did not halt certificate issuance, clarifying language was added to the CP to prevent future misinterpretations. The root cause was identified as the incorrect use of the term 'strictly enforced' in the policy documentation.
Chronology
- Sectigo WebPKI CP version 1.0 published
- Non-compliance identified during audit
- Bug opened to report incident
- Report Closure Summary posted
Participants
Martijn Katerbarg
External References
Similar Local Cases
Sectigo: Late termination of privileged access to Certificate Systems
Sectigo: CRL validity beyond CPS allowed value
Sectigo: Reseller ZeroSSL and Private Key Generation
Microsoft PKI Services: 3-Month Access Review Process Failure
Microsoft PKI Services: Trusted Role Control Failure
Amazon Trust Services: Missing CAA Check For Test Website Certificates
PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #10 – Firewall Rules and Review
Apple: CRL issuance frequency deviates from CPS in some cases