G’day Folks,
As previously discussed on this thread, the DarkMatter Trust Services practice
(including DarkMatter CAs) has been operated in a separate entity to the DM
Group, that entity is Digital Trust – Sole Proprietorship L.L.C.
(“DigitalTrust”) which was established in the United Arab Emirates in 2016.
DigitalTrust is an affiliate of the DM Group. It was setup by the parent
company to exclusively provide the Trust related business and has never been
owned by DarkMatter LLC as a subsidiary since its incorporation. Up till now
however, DarkMatter LLC has been involved in facilitating aspects of the Trust
business, because we had some challenges with the trademarking of the
independent entity’s original name etc. and it became more efficient to utilize
the DM entity so as to not delay hiring and contracts etc. for the roll out of
UAE NPKI services. We have now finalized that issue and will be transitioning
all aspects of what has been known to the public as DM Trust Services
(including DarkMatter CAs etc.) to the independent company DigitalTrust. All
contracts for the CA Business are in the process of being novated over to
DigitalTrust.
DigitalTrust is headed by myself, and I am the key individual responsible for
management of the CA Business within Digital Trust. The shareholder of Digital
Trust is DM Investments, and the beneficial owner of DM Investments is Mr.
Faisal Al Bannai. Although Legal Ownership of the CA Business is changing (per
Section 8.1 of the Mozilla Root Policy), the Operational Personnel (Section
8.2) and Secure Location (Section 8.3) for infrastructure are not changing – it
is still my team who are the operators and only folks with control of Key
material. My team consists of professionals from many nations: Director of
Networks & Security Infrastructure is from USA; Director of Registration
Authority and Technical Support is from Sweden; Sr PKI Architect is from
Portugal; Sr Manager of CA Platform is from USA; other key personnel are from
Ecuador, India, Philippines, and Belarus. These folks have all re-located here
to the UAE to be a part of the DigitalTrust CA services.
From a program management perspective, the Policy Authority Board for
DigitalTrust remains the same as it was previously – this consists of
representation from four key areas of our business services: 1. PKI &
Technology Expert, 2. Legal Expert, 3. Policy & Risk/Governance Expert, 4.
Security Expert.
DigitalTrust is a private entity that has been engaged by the UAE Government to
build, operate and maintain – on the Governments behalf – the necessary
components of a National PKI. The Telecommunications Regulatory Authority (TRA)
is the relevant authority within the UAE Government for regulatory oversight
and leadership of the UAE National PKI program, but DigitalTrust has been
engaged with the following responsibilities:
- Operation of the NPKI technical infrastructure
- Advisory services for governance activities
- Representing the NPKI in Industry Working groups and relevant Trust
Communities
- Fulfill compliance and regulatory responsibilities for the NPKI
operations
DigitalTrust will now become the point of contact for the UAE Global Root
submissions.
DigitalTrust would also like withdraw the DarkMatter Root submissions
previously provided and will replace these with new DigitalTrust Roots that we
will use as the basis of trust for our commercial business going forward.
These actions will be reflected in the data contained in the CCADB.
Please advise if additional information relating to this change is required.
If anyone has any questions regarding this matter, please do not hesitate to
contact me.
Regards,
--
Scott Rea
On 3/19/19, 10:25 AM, "dev-security-policy on behalf of Scott Rea via
dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf
of dev-security-policy@lists.mozilla.org> wrote:
G’day Folks,
It was a pleasure meeting many of the Mozilla community face to face at the
CAB Forum meeting at Apple HQ last week. There are many others of you however,
whose interface to the community is right here on this list, and so I wanted to
share my perspective and feedback here on the recent dialogue so that the
openness and transparency of the community is preserved.
Over the past few weeks, there’s been much debate and shared points of view
around DarkMatter’s multi-year process to have our CA Roots included in
Mozilla’s Root Store. Who could have predicted that along the way, the
community would have such wide-spread impact from the serialNumber entropy
issue? I do think the BRs are a little ambiguously worded in this regards, and
this is what certainly tripped us up, but upon learning what was intended by
the standard, DarkMatter has completed its revocation of every still valid
affected TLS certificate (~175), and we actioned that immediately, completing
the process over about 72 hrs (timing over the week-end in the UAE was not
optimal for us otherwise we could have completed it sooner). We still need to
re-issue the Issuing CAs and submitted Roots – these are dependent on the
availability of our WebTrust Auditors, but we expect this to be finalized in
the next week or so.
Many others in the community are also evaluating replacement of affected
certificates e.g. see [1] [2] [3], etc. But the volumes these organizations are
dealing with will make it difficult to meet BR revocation timelines, which is
why I think Mozilla’s recent acknowledgement of this challenge with a proposal
for an updated best practice for revocation is the right discussion to have.
I think this is where the community is at its best: working together to
identify and manage issues, learning from each other in how best to take action
and resolving it as quickly as possible while maintaining the security and
integrity of services for end users. After all, we ultimately share the same
goal: transparent community-based processes that promote participation,
accountability and trust [4].
Resolving this issue together is a good example of this principle in action.
As I reflect on the many discussions in this community, and also with the
40-odd companies at last week’s CA/B Forum, it is clear that there is quite an
interest in the DarkMatter story. Unfortunately, the one that has often been
promoted as evidence in this community – is one that is not based on truth, and
one that has consistently been refuted by DarkMatter. I would like to set the
record straight once and for all, and share with all of you why DarkMatter’s
story is not what some have claimed, but is, I believe, actually completely
aligned with Mozilla’s own manifesto.
DarkMatter Group was founded by Faisal Al Bannai, one of the most
accomplished business leaders in the Middle East [5], as a commercial business
entity that specializes in Cyber Security services, and solutions. Al Bannai
served as CEO and founder until recently (2018), when he handed over the
leadership role of the company to Karim Sabbagh, formerly the CEO of the world
leading satellite fleet operator SES [6]. Al Bannai is the sole beneficial
shareholder of the DarkMatter Group. The CA business that I head within the
DarkMatter Group, and which I will provide further details below, is a
completely independent business unit housed in a legally separate subsidiary
company.
The general business of the DarkMatter Group is all centered around
cybersecurity. DarkMatter is very active in our local constituency [7], [8],
[9], we have even developed and launched our own mobile phone [10]. The
Cybersecurity divisions of DarkMatter are fully engaged in and participate in
identifying and disclosing malicious applications that attack the security and
privacy of individuals everywhere. Some recent examples of this are where
DarkMatter researchers identified and informed Google of a malicious
application available on the Google play store [11], and DarkMatter researchers
also made a responsible disclosure to Apple of a significant attack that
“bypasses all native macOS security measures”, (which findings were also
presented at Hack-In-the-Box conference in Singapore [12]. This just highlights
a couple.
For those who have questioned who is really in the driving seat of the
DarkMatter CAs, I want to assure you that DarkMatter’s PKI business has always
been operated independently. We are a legally separate entity – housed under a
subsidiary of the DarkMatter Group. Only myself and my handpicked team ever
have hands on key material, and no single individual can effect an issuance
without the validation of a counterpart and always under multiparty and
multifactor authentication. We have stringent controls around who is eligible
to hold a trusted role, and they must continue to meet operational KPIs,
training and risk evaluation metrics to remain in their role. These are
validated via process review and audit.
It’s worth noting why DarkMatter decided to launch our commercial CA three
years ago - because citizens, residents and visitors to the UAE currently don’t
have access to local providers who can provide them with digital protections
all in local dialect and with local support - these are things perhaps taken
for granted in other parts of the world. We recognized this and want to make
sure our community has the same digital protections as everyone else because
every nation deserves the right to build secure, trusted digital environments
for the benefit of its citizens. As the operator for the UAE National PKI,
acceptance of the UAE Global Roots is critical for this nation that is at the
forefront of driving deployment of smart cities but where only 32% of its
websites are protected compared to the 65% enjoyed by the rest of the world.
At DarkMatter, we are committed to ensuring that all HTTP traffic is
transitioned to HTTPS nation-wide, and region-wide where we can provide
service. As we work towards the resolution of this issue, it is a good example
of the principle in action: where individuals’ security and privacy on the
internet are fundamental and must not be treated as optional [13].
As part of our long-term plan, our certificates will shortly be issued from
CA’s chaining to Roots of the independent PKI subsidiary – which is currently
undertaking a rebranding exercise (the original name attracted too many cyber
squatters). Once the branding is complete, the DarkMatter CA subsidiary will
be completely and wholly separate from the DarkMatter Group of companies in
their entirety, and operations will continue under this independent entity.
Although we have been planning this for some time, we are expediting the
process now as the serial number issue has brought about an opportunity to
rename the DM Roots as we re-issue them.
The DarkMatter CA subsidiary, is the fourth commercial CA that I have
contributed my services to for different companies over the course of my 20
years in this industry. Over that time, as now, I have seen that the
commercial involvement in the development of the internet brings many benefits
and a balance between commercial profit and public benefit is critical [14].
The fact that the UAE has decided to outsource the operations of its National
PKI to a private entity, is I think is clear acknowledgement that the
principles of trust and transparency don’t change, and it is best accomplished
by those who have demonstrated expertise. I therefore believe that a sovereign
UAE CA is a good example of the principle in action where the public benefit to
digitally securing the nation is overwhelming, especially with the UAE
experiencing a higher risk of suffering cyber-attacks. Together we have an
opportunity to make a real difference in this part of the world and this is
what I am passionate about and why I’ve been doing this work here for the past
three years.
Of course underpinning the benefits to the UAE and the rest of the world is
having free and open source software that promotes the development of the
internet as a public resource [15]. This goes beyond any company’s direct
commercial interests and I am committed to working with the community to
demonstrate this principle in action and the part we can all play in advancing
a safe and secure internet that is open and accessible to all [16]. I
understand that today the Mozilla community is not taking advantage of the CT
Logs as much as other browsers are. Submitting all our TLS certificates to CT
Logs has been a key initiative of our CA to demonstrate transparency in all
that we are doing. I would be happy for my team to contribute code back to the
open source community for validating TLS connections based on CT log data, so
that FireFox and other Mozilla products have more options for verifying the
work that we, and other CAs, are doing.
No one is an island in this business of trust – we all swim in the same
ocean. There should be consistent controls applied for all trust operators and
I think our current environment of standards communally developed by CAB Forum
and also codified in the Mozilla Root Store Policy help ensure that. We are
committed to trust everywhere on the internet and here at the DarkMatter CA, we
are working to ensure that protections are in place for our local community
commensurate with the rest of the world. We intend to take a more active role
in the Mozilla community and are pleased that our goals and objectives are so
closely aligned.
I hope that in future we can continue to move forward DarkMatter related
discussions based on fact and transparency. These principles are not only
necessary, but critical to ensuring the integrity of the trust community that
Mozilla has built.
Refs:
1.
https://www.thesslstore.com/blog/mass-revocation-millions-of-certificates-revoked-by-apple-google-godaddy/
2.
https://www.zdnet.com/article/apple-google-godaddy-misissued-tls-certificates-with-weak-serial-numbers/
3. https://www.theregister.co.uk/2019/03/13/tls_cert_revoke_ejbca_config/
4. https://www.mozilla.org/en-US/about/manifesto/ Principle 8: Transparent
community-based processes promote participation, accountability and trust
5.
https://www.arabianbusiness.com/lists/392531-100-inspiring-leaders-in-the-middle-east-94faisal-al-bannai
6. https://spacenews.com/ses-sabbagh-takes-ceo-job-at-uae-cyber-firm/
7.
https://gulfnews.com/technology/darkmatter-named-expo-2020s-cybersecurity-solutions-provider-1.2246547
8. http://www.itp.net/618203-blockchain-breaks-new-ground-at-gitex
9.
https://www.prnewswire.com/news-releases/darkmatter-introduces-blockchain-solutions-for-governments-and-enterprises-in-the-uae-597226021.html
10. https://www.darkmatter.ae/KATIM/
11.
https://www.darkmatter.ae/blogs/darkmatter-identifies-app-stealing-personal-information/
12.
https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/#7791c17a6fd6
13. https://www.mozilla.org/en-US/about/manifesto/ Principle 4:
Individuals’ security and privacy on the internet are fundamental and must not
be treated as optional
14. https://www.mozilla.org/en-US/about/manifesto/ Principle 9: Commercial
involvement in the development of the internet brings many benefits; a balance
between commercial profit and public benefit is critical
15. https://www.mozilla.org/en-US/about/manifesto/ Principle 7: Free and
open source software promotes the development of the internet as a public
resource
16. https://www.mozilla.org/en-US/about/manifesto/ Principle 2: the
internet is a global public resource that must remain open and accessible
Regards,
--
Scott Rea
On 3/6/19, 11:15 PM, "dev-security-policy on behalf of Kathleen Wilson via
dev-security-policy" <dev-security-policy-boun...@lists.mozilla.org on behalf
of dev-security-policy@lists.mozilla.org> wrote:
All,
Thank you to those of you that have been providing thoughtful and
constructive input into this discussion. I have been carefully reading
and contemplating all of the messages posted in the
mozilla.dev.security.policy forum.
As the owner of Mozilla’s CA Certificates Module[1] and in an effort to
respond to Matthew’s concerns about transparency[2], I would like to
share my current thoughts about DarkMatter’s intermediate certificates
and root inclusion request. I will make a decision after this
discussion
has run its full course.
I appreciate that representatives of DarkMatter are participating in
this discussion, and reiterate that I have not yet come to a decision.
I
would also like to remind everyone that we have not yet started the
public discussion phase of DarkMatter’s root inclusion request. This
discussion is separate from Mozilla’s root inclusion process, but will
determine if the process will continue for DarkMatter’s root inclusion
request. If this discussion concludes that DarkMatter’s intermediate
certificates should be added to OneCRL, then the root inclusion request
will be closed. However, if this discussion concludes that DarkMatter’s
intermediate certificates should not be added to OneCRL, then
DarkMatter’s root inclusion request will continue to follow the normal
process.
== Regarding DarkMatter’s current intermediate certificates ==
The current DarkMatter intermediate certificates are not constrained or
technically controlled by the parent CA, as was confirmed by a
representative of DigiCert[3]. This means that currently DarkMatter has
all of the certificate issuance capability of a root certificate that
is
directly included in Mozilla’s root store. This is why we are having
this discussion to determine if DarkMatter’s current intermediate
certificates should be added to OneCRL.
In my opinion, there are other options for DarkMatter. For example, a
CA
who is currently included in Mozilla’s program such as Digicert, could
issue DarkMatter new intermediate certificates that are owned and
controlled by DigiCert and for which DigiCert performs additional
domain
validation before issuance of end-entity certs in that CA hierarchy. I
think that an option like this would provide sufficient oversight of
DarkMatter’s certificate issuance, if we decide to add DarkMatter’s
current intermediate certificates to OneCRL.
== Regarding DarkMatter’s root inclusion request ==
Since I began working on Mozilla’s CA Program in 2008 I have rarely
seen
this much interest and opinions from the media and general public on
root inclusion requests, even though all of our process is performed in
the open[4] and includes a public discussion phase[5]. In my opinion,
we should pay attention to the messages we're receiving, and subject
this CA to additional scrutiny.
As others have already pointed out[6] DarkMatter’s root inclusion
request is reminiscent of CNNIC’s root inclusion request in 2009 [7]
and
their request to include an additional root in 2012 [8]. As Ryan
reminded us[9] in his excellent analysis, the decisions about the
inclusion of the CNNIC root certificates was based on “a rigid
application of policy”. In one of my posts[10] about CNNIC’s root
inclusion requests I stated:
“There was a lot of discussion about government, politics, legal
jurisdiction, what-if scenarios, and people’s opinions about the
Chinese
government. While I sympathize with people’s feelings about this,
Mozilla’s root program is based on policy and evidence. While CNNIC has
provided all of the required information to demonstrate their
compliance
with Mozilla’s CA Certificate Policy, no usable evidence has been
provided to show non-compliance with Mozilla’s CA Certificate Policy.”
As we all know, in 2015 Mozilla revoked trust in CNNIC certificates[11]
after discussion[12] in this forum regarding the discovery that an
intermediate CA under the CNNIC root was used to mis-issue TLS
certificates for some domains, and subsequently used for MiTM. In that
case, rigid application of the policy left our users at risk. This was
an important learning experience for us.
Root inclusion requests rarely receive this much attention. Another one
that we have been reminded of is TeliaSonera’s root inclusion
discussion[13], in which I stated: “Typically this would have been
considered a very standard request, but this discussion turned into a
political sounding board. Approval of this root-renewal request means
that the CA complies with Mozilla’s CA Certificate Policy and provides
annual audit statements attesting to their compliance. It in no way
reflects my opinion, or that of Mozilla, on the actions of the owner of
the CA in regards to their non-CA related businesses and practices.”
Unlike CNNIC, TeliaSonera still has root certificates in Mozilla’s root
store. Similar to many CAs in our program, TeliaSonera has had some
compliance problems[14], but (to my knowledge) no evidence has been
provided of TeliaSonera knowingly issuing certificates without the
knowledge of the entities whose information is referenced in the
certificates, or knowingly issuing certificates that appear to be
intended for fraudulent use. TeliaSonera’s reported compliance problems
have not yet been deemed to be egregious enough to warrant removal of
their root certificates. Therefore, it is not as simple as saying that
this DarkMatter root inclusion request seems similar to the CNNIC
situation, so we should not approve DarkMatter’s root inclusion request.
However, I believe that the CNNIC experience is a valuable lesson that
should be taken into account when making a decision on DarkMatter.
During CNNIC’s root inclusion process, the community expressed grave
concerns about the company based on credible reports that they had been
involved in interception and surveillance of web traffic, including
providing malware products to others such as their government. Even
with
these credible news reports, the community was unable to obtain
technical evidence of intentional certificate mis-issuance, so I
approved their root inclusion request. In essence this meant ignoring
the evidence that had been provided because I deemed that it was not
directly applicable to the policy requirements for being a CA in our
program. However, it wasn’t until much later that there was sufficient
evidence to remove the CNNIC’s root certificate. Therefore, we should
not ignore credible news reports regarding DarkMatter.
Matthew correctly stated[15] that he “can not recall use of subjective
discretion to deny admission to the program.” As demonstrated in both
the CNNIC and TeliaSonera requests I have always tried to be as
objective as possible in regards to root inclusion requests. However,
as
Ryan pointed out[16] “the program is, and has always been, inherently
subjective and precisely designed to support discretionary decisions.”
And Wayne said[17]: “A stronger argument along these lines is that we
have plenty of CAs, so there is no good reason to take a risk on one
that we lack confidence in.” I do not believe that we should take a
certain action just because it is what we have always done. And we
should use all of the information that is available to us in analyzing
the risk that comes with including new root certificates, even if that
means the decision is more subjective than previous decisions. The
ultimate purpose of our transparency and our standards is to bolster
trust in our CA program. Ignoring information that doesn’t fall within
strict criteria does not serve that purpose.
Mozilla’s root store policy[18] says: “We will determine which CA
certificates are included in Mozilla's root program based on the risks
of such inclusion to typical users of our products.” To me this means
that if the risks of including a root certificate appear to outweigh
the
benefits, then we should deny the root inclusion. There are credible
reports from multiple sources[19] providing reason to not trust the
DarkMatter organization to issue TLS certificates without constraints.
I
think that the decision about DarkMatter should consider if the risk of
including DarkMatter’s root certificates outweighs the potential
benefit
to consumers of Mozilla’s root store.
As always, I continue to appreciate your thoughtful and constructive
input.
Thanks,
Kathleen
[1] https://wiki.mozilla.org/Modules/All#CA_Certificates
[2]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/hi3WDHlYAgAJ
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/I8CYOScMBgAJ
[4] https://wiki.mozilla.org/CA/Dashboard
[5]
https://wiki.mozilla.org/CA/Application_Verification#Public_Discussion
[6]
https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else
[7] https://bugzilla.mozilla.org/show_bug.cgi?id=476766
[8]
https://groups.google.com/d/msg/mozilla.dev.security.policy/QEwyx6TQ5TM/qzX_WsKwvIgJ
[9]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/rNWEMEkUAQAJ
[10]
https://groups.google.com/d/msg/mozilla.dev.security.policy/QEwyx6TQ5TM/c3GXKsASCX4J
[11]
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/
[12]
https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ
[13]
https://groups.google.com/d/msg/mozilla.dev.security.policy/mirZzYH5_pI/5LJ-X-XfIdwJ
[14] https://wiki.mozilla.org/CA/Incident_Dashboard
[15]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/ew5ZnJtVAgAJ
[16]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/IfewIb0hAgAJ
[17]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/joyWkf5TAgAJ
[18]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
[19]
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
scott....@darkmatter.ae
The information transmitted, including attachments, is intended only for
the person(s) or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and destroy any copies of this information.
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
scott....@darkmatter.ae
The information transmitted, including attachments, is intended only for the
person(s) or entity to which it is addressed and may contain confidential
and/or privileged material. Any review, retransmission, dissemination or other
use of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited. If you received this
in error, please contact the sender and destroy any copies of this information.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
