In bug 1910322 comment 74 DigiCert wrote,

“We have not used a legal team as a shield against accountability.”

Contrary to this statement, I received a letter from DigiCert’s lawyers, Wilson Sonsini, regarding posts made by Sectigo’s Chief Compliance Officer in bug 1910322. The upshot of the letter was that DigiCert expected Sectigo to “ensure that Mr. Callan’s statements do not continue and will not be repeated by any other member of Sectigo’s organization.”

I’m Brian Holland, General Counsel for Sectigo, and this is my first time posting on Bugzilla. I’m posting because at Sectigo we believe that the WebPKI is best served by open, transparent, and honest debate about issues that impact our community. Attempts to shut down these conversations, through lawyers or otherwise, are harmful to our collective core mission.

In its opening passages, this letter reads (emphasis mine),

We ask for your prompt cooperation and assistance in taking corrective action and forcing Mr. Callan to cease his disparaging public statements. We hope your assistance in this matter will render unnecessary legal action by DigiCert against Sectigo.

After three pages of detail about specific Bugzilla posts and references to the Lanham Act, deceptive trade practices, corporate disparagement, and tortious interference, the letter (the full letter is included as an attachment to this bug) goes on to say (emphasis mine):

At this point, we are bringing this situation to your attention on behalf of DigiCert because we are hopeful that Mr. Callan’s actions were the actions of one individual and were not part of an organized plan or institutional practice. We also hope that, upon receiving this information, Sectigo will recognize the impropriety of Mr. Callan’s statements and the substantial public, industry, and browser scrutiny and legal risk such statements would prompt if they were to continue. To that end, we expect that Sectigo will investigate this incident promptly and take the appropriate corrective actions, confirm that this situation was not part of an institutional practice, and ensure that Mr. Callan’s statements do not continue and will not be repeated by any other member of Sectigo’s organization. We hope we can resolve this situation as soon as possible before DigiCert is compelled to seek legal action.

On December 10, 2024 I sent this response in email to my contact at Wilson Sonsini:

I have reviewed your letter and the Bugzilla thread referenced therein. In that letter, you suggest that DigiCert has various legal claims against Sectigo and/or its COO [sic], Tim Callan, for what you call “false and misleading statements about DigiCert” made on the Bugzilla forum. We strongly disagree. The statements you point to are questions and/or statements of opinion that are not actionable statements of fact. Moreover, those comments were made with the intent of facilitating discussion and debate about important questions of first impression for our industry. They were made by Tim Callan in good faith, are fully protected by the First Amendment, and cannot, as a matter of law, form the basis for any of the causes of action mentioned in your letter.

As you are aware, the PKI community is a self-regulating group that, as set out in the bylaws of the Certificate Authority Browser Forum, works “closely together in defining the guidelines and means of implementation for best practices as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.” For the community to self-regulate, there needs to be open, uninhibited, and robust discussion and debate about best practices in the industry. Any litigation threats that chill or stifle such debate undermine the self-regulatory system that has worked so well for the industry.

Certificate Authorities post incident reports on Bugzilla to “provide lessons learned and transparency about the steps the CA Owner takes to address the immediate issue and prevent future issues.” As the Common CA Database goes on to state “incident reports help the Web PKI ecosystem as a whole because they promote continuous improvement, information sharing, and highlight opportunities to define and adopt improved practices, policies, and controls” of all parties.

The TRO involved in this incident report, as one Bugzilla commenter noted, is “an unprecedented event in the WebPKI, and . . . if allowed to proliferate, it would potentially be used by subscribers en masse to do an end-run around important technical security controls.”

The PKI Community has never considered how it should respond to TROs and now needs to do so. Understanding the situation faced by your client and why it made certain decisions is important to improving the WebPKI ecosystem. This is why Mr. Callan, and many others, have been asking questions – some of which have been critical questions designed to achieve a consensus as to how best handle situations like this in the future. In any such discussion, there will be differences of opinion, but open, uninhibited, robust, and transparent discussion is essential for the industry to learn how to best move forward.

I hope that your client will, on deeper reflection, realize that as a leader in the PKI Community, it should be driving, rather than stifling, discussion of this topic. Your client’s threat of litigation is, in our view, both misguided and without merit. We will strive to be respectful in our tone, but neither Mr. Callan nor Sectigo will be silenced or prevented from asking critical questions and/or engaging in critical discussion about issues of substantial concern to the public and the industry.

We find the threat of legal action to stifle scrutiny and discussion of public CA practices to be deeply troubling and entirely at odds with the transparent, blameless post-mortem culture that the CCADB incident report guidelines expect CAs to embrace. Even for a company like Sectigo, the threat of a lawsuit from a well-resourced organization like DigiCert is worrisome, regardless of our confidence that Mr. Callan’s speech was proper, legally protected, and in the best interest of the WebPKI. Another party challenging DigiCert’s behavior, faced with this same threat, might choose simply to stop asking uncomfortable questions.

No CA should be allowed to intimidate its critics into silence. This would irreparably damage the integrity and quality of the WebPKI.

I am sharing this incident to bring attention to DigiCert’s actions and allow the community to evaluate this approach. What began as a discussion of the threat posed by certificate subscribers using the legal system to circumvent WebPKI security controls needs, in my opinion, to be broadened.