(Writing in my personal capacity) One of the things that I think is important is to tease out factual predicates that could be grounds for exclusion. It's clear to me that there is a tremendous level of unease with DarkMatter, largely (though not exclusively!) as a result of the Reuter's article. Being able to articulate which conduct described there is incompatible with participation in the Mozilla Root Program.
I propose two answers (to start with :-)): First, is honesty. Even as we build technologies such as CT and audit regimes which improve auditability and accountability, CAs are ultimately in the business of trust. https://twitter.com/josephfcox/status/1090592247379361792 makes the argument that DarkMatter has been in the business of lying to journalists. Lying is fundamentally incompatible with trust. Second, is vulnerability exploitation. The Reuter's article describes use of the "Karma" malware/exploits against iOS. It's difficult for me to imagine anyone in the business of using iOS 0days that doesn't also have a few Firefox exploits up their sleeve (possibly in the form of Tor Browser 0days). This is a leap, but not a big one. Using Firefox 0days in the wild (particularly against the sort of targets alleged: human rights activists, journalists, etc.) is not compatible with Mozilla's mission, or our parochial interest in the security of our own software. Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy