Certificate revocation is the process of invalidating a code signing certificate before its scheduled expiration date. It’s software industry-standard best practice to revoke any code signing certificate associated with a security breach, as that certificate could potentially contain compromised code.
Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to its knowledge may be used for illegal or dishonest activities.
Since the same certificate could be used for both right and wrong purposes, Sectigo relies on credible third parties to provide correct information about Sectigo certificates used for malware.
Sectigo may revoke the code signing certificate in the following instances:
- A cybercriminal steals or alters a valid code signing certificate
- A contractor or employee uses a valid certificate for deceptive purposes without the company’s knowledge.
- The company’s code, website, or software is infected with malware or other cyber attacks.
As a Certificate Authority, Sectigo cannot rely on self-reporting of false positives by code signing certificate owners because they may not know that their certificates or digital goods are compromised.
Source: Sectigo’s Knowledge Base