Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to our knowledge may be used for illegal or deceptive purposes. We believe that the ability to disable abused certificates is an important part of the public certificate ecosystem and that for the general good it is appropriate for a public CA to revoke such certificates upon discovery.
Note that it is possible for the same certificate to be used for both appropriate and inappropriate purposes at precisely the same time, an outcome that can occur in multiple ways including:
A legitimate certificate is stolen by a cyber criminal
An employee or contractor uses a legitimate certificate for inappropriate purposes without the company’s knowledge
The company’s code, web site, or other digital assets are infected with malware, cross-site scripting, or other attacks
It is possible in all the above scenarios that the misuse of the certificate occurs without the intention or knowledge of the individual who ordered it and in principle is in charge of the certificate. In fact, it’s even possible that the problem doesn’t owe itself to compromise of the certificate at all but rather in an entirely different lapse in the certificate owner’s overall digital security, or scanner interpretation.
With all outside information sources we pay attention to their reputation for quality when selecting them. If the quality of a specific information source does not meet our standards, we can remove it as a source we trust. This evaluation and updating is a continual part of operating as a public CA.
To determine whether or not one of our Code Signing certificates is used for malware, we rely on credible third parties, including VirusTotal. These third parties are the most reliable sources of information about Sectigo certificates used for malware. As a Certificate Authority, we cannot depend on self-reporting of false positives by certificate owners because they may not know that their certificates or digital properties are compromised and/or may not be truthful with us.