SECOM: 2025 S/MIME CA Modified Opinion Report of Cybertrust Japan (CTJ)

This incident report addresses a modified opinion in the WebTrust for S/MIME Baseline Requirements (WTSM) audit report concerning a subordinate CA certificate issued before the S/MIME BR compliance date. The affected certificate was revoked on 2025-08-21, and all End-Entity certificates were compliant with applicable requirements. The root causes included a departure from best practices, misinterpretation of requirements, and a lack of risk assessment. To prevent recurrence, Cybertrust Japan and SECOM have strengthened their verification processes and decision-making frameworks.

1. 2024-12-11 Non-compliance start date
2. 2026-03-04 Non-compliance identified date
3. 2025-08-21 Revocation of the non-compliant subordinate CA certificate
4. 2026-03-06 Incident Report posted on Bugzilla
5. 2026-03-19 Final call for comments on Incident Report