G’day Wayne et al,
In response to your post overnight (included below), I want to assure you that
DarkMatter’s work is solely focused on defensive cyber security, secure
communications and digital transformation. We have never, nor will we ever,
operate or manage non-defensive cyber activities against any nationality.
Furthermore, in the spirit of transparency, we have published all our public
trust TLS certificates to appropriate CT log facilities (including even all our
OV certificates) before this was even a requirement. We have been entirely
transparent in our operations and with our clients as we consider this a vital
component of establishing and maintaining trust.
We have used FIPS certified HSMs as our source of randomness in creating our
Authority certificates, so we have opened an investigation based on Corey
Bonnell’s earlier post regarding serial numbers and will produce a
corresponding bug report on the findings.
I trust this answers your concerns and we can continue the Root inclusion
onboarding process.
Regards,
--
Scott Rea
On 2/23/19, 1:21 AM, "dev-security-policy on behalf of Wayne Thayer via
dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf
of dev-security-policy@lists.mozilla.org> wrote:
The recent Reuters report on DarkMatter [1] has prompted numerous questions
about their root inclusion request [2]. The questions that are being raised
are equally applicable to their current status as a subordinate CA under
QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to
open up a discussion now. The purpose of this discussion is to determine if
Mozilla should distrust DarkMatter by adding their intermediate CA
certificates that were signed by QuoVadis to OneCRL, and in turn deny the
pending root inclusion request.
The rationale for distrust is that multiple sources [1][4][5] have provided
credible evidence that spying activities, including use of sophisticated
targeted surveillance tools, are a key component of DarkMatter’s business,
and such an organization cannot and should not be trusted by Mozilla. In
the past Mozilla has taken action against CAs found to have issued MitM
certificates [6][7]. We are not aware of direct evidence of misused
certificates in this case. However, the evidence does strongly suggest that
misuse is likely to occur, if it has not already.
Mozilla’s Root Store Policy [8] grants us the discretion to take actions
based on the risk to people who use our products. Despite the lack of
direct evidence of misissuance by DarkMatter, this may be a time when we
should use our discretion to act in the interest of individuals who rely on
our root store.
I would greatly appreciate everyone's constructive input on this issue.
- Wayne
[1] https://www.reuters.com/investigates/special-report/usa-spying-raven/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ
[4]
https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/
[5]
https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/
[6]
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ
[7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689
[8]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
scott....@darkmatter.ae
The information transmitted, including attachments, is intended only for the
person(s) or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and destroy any copies of this information.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
