G’day Wayne et al, In response to your post overnight (included below), I want to assure you that DarkMatter’s work is solely focused on defensive cyber security, secure communications and digital transformation. We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality.
Furthermore, in the spirit of transparency, we have published all our public trust TLS certificates to appropriate CT log facilities (including even all our OV certificates) before this was even a requirement. We have been entirely transparent in our operations and with our clients as we consider this a vital component of establishing and maintaining trust. We have used FIPS certified HSMs as our source of randomness in creating our Authority certificates, so we have opened an investigation based on Corey Bonnell’s earlier post regarding serial numbers and will produce a corresponding bug report on the findings. I trust this answers your concerns and we can continue the Root inclusion onboarding process. Regards, -- Scott Rea On 2/23/19, 1:21 AM, "dev-security-policy on behalf of Wayne Thayer via dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf of dev-security-policy@lists.mozilla.org> wrote: The recent Reuters report on DarkMatter [1] has prompted numerous questions about their root inclusion request [2]. The questions that are being raised are equally applicable to their current status as a subordinate CA under QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to open up a discussion now. The purpose of this discussion is to determine if Mozilla should distrust DarkMatter by adding their intermediate CA certificates that were signed by QuoVadis to OneCRL, and in turn deny the pending root inclusion request. The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CAs found to have issued MitM certificates [6][7]. We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. Mozilla’s Root Store Policy [8] grants us the discretion to take actions based on the risk to people who use our products. Despite the lack of direct evidence of misissuance by DarkMatter, this may be a time when we should use our discretion to act in the interest of individuals who rely on our root store. I would greatly appreciate everyone's constructive input on this issue. - Wayne [1] https://www.reuters.com/investigates/special-report/usa-spying-raven/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ [4] https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/ [5] https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 [8] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Scott Rea | Senior Vice President - Trust Services Tel: +971 2 417 1417 | Mob: +971 52 847 5093 scott....@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy