The bug requesting that the existing subordinate CAs be added to OneCRL is

On Tue, Jul 9, 2019 at 8:31 AM Wayne Thayer <> wrote:

> I would like to thank everyone for their constructive input on this
> difficult issue. I would also like to thank DarkMatter representatives for
> participating in the open, public discussion. I feel that the discussion
> has now, after more than 4 months, run its course.
> The question that I originally presented [1] to this community was about
> distrusting DarkMatter’s current intermediate CA certificates (6 total)
> based on credible evidence of spying activities by the company. While a
> decision to revoke trust in these intermediates would likely result in a
> denial of DarkMatter’s root inclusion request [2], the public discussion
> for that request has not yet begun. A decision not to revoke these
> intermediates does not necessarily mean that the inclusion request will be
> approved.
> Some of this discussion has revolved around compliance issues, the most
> prominent one being the serial number entropy violations discovered by
> Corey Bonnell. While these issues would certainly be a consideration when
> evaluating a root inclusion request, they are not sufficient to have
> triggered an investigation aimed at revoking trust in the DarkMatter
> intermediates or QuoVadis roots. Therefore, they are not relevant to the
> question at hand.
> Much of the discussion has been about the desire for inclusion and
> distrust decisions to be made based on objective criteria that must be
> satisfied. However, if we rigidly applied our existing criteria, we would
> deny most inclusion requests. As I stated earlier in this thread, every
> distrust decision has a substantial element of subjectivity. One can argue
> that we’re discussing a different kind of subjectivity here, but it still
> amounts to a decision being made based on a collective assessment of all
> the information at hand rather than a checklist.
> Some, including DarkMatter representatives [3], have declared the need to
> examine and consider the benefits of having DarkMatter as a trusted CA.
> However, last year we changed our policy to replace the weighing of
> benefits and risks with “based on the risks of such inclusion to typical
> users of our products.” [4]
> Perhaps the most controversial element in this discussion has been the
> consideration of “credible evidence”. The first component is the inherent
> uncertainty over what is “credible”, especially in this day and age. While
> it has been pointed out that respected news organizations are not beyond
> reproach [5], having four independent articles [6][7][8][9] from reputable
> sources published years apart does provide some indication that the
> allegations are credible. These articles are also extensively sourced.
> If we assume for a second that these allegations are true, then there is
> still a sincere debate over what role they should play in our decision to
> trust DarkMatter as a CA. The argument for considering these allegations is
> akin to the saying “where there’s smoke there’s fire”, while the argument
> against can be described as “innocent until proven guilty”.
> DarkMatter has argued [3] that their CA business has always been operated
> independently and as a separate legal entity from their security business.
> Furthermore, DarkMatter states that once a rebranding effort is completed,
> “the DarkMatter CA subsidiary will be completely and wholly separate from
> the DarkMatter Group of companies in their entirety.” However, in the same
> message, DarkMatter states that “Al Bannai is the sole beneficial
> shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al
> Bannai would remain the sole owner of the CA business. More recently,
> DarkMatter announced that they are transitioning all aspects of the
> business to DigitalTrust and confirmed that Al Bannai controls this entity.
> This ownership structure does not assure me that these companies have the
> ability to operate independently, regardless of their names and legal
> structure.
> Mozilla’s principles should be at the heart of this decision. “The Mozilla
> Manifesto [10] states:
> Individuals’ security and privacy on the internet are fundamental and must
> not be treated as optional.”
> And our Root Store policy states: “We will determine which CA certificates
> are included in Mozilla's root program based on the risks of such inclusion
> to typical users of our products.”
> In other words, our foremost responsibility is to protect individuals who
> rely on Mozilla products.  I believe this framing strongly supports a
> decision to revoke trust in DarkMatter’s intermediate certificates. While
> there are solid arguments on both sides of this decision, it is reasonable
> to conclude that continuing to place trust in DarkMatter is a significant
> risk to our users. I will be opening a bug requesting the distrust of
> DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also
> recommend denial of the pending inclusion request, and any new requests
> from DigitalTrust.
> In the past, we’ve seen CAs attempt to make an end run around adverse
> trust decisions - through an acquisition, a shell company, etc. We will
> treat any such attempt as a violation of this decision and act accordingly.
> Mozilla does welcome DigitalTrust as a “managed” subordinate CA under the
> oversight of an existing trusted CA that retains control of domain
> validation and the private keys.
> This discussion has highlighted an opportunity to improve our review of
> new externally-operated subordinate CAs [11]. This issue [12] is part of
> the current policy update discussions.
> Wayne
> [1]
> [2]
> [3]
> [4]
> [5]
> [6]
> [7]
> [8]
> [9]
> [10]
> [11]
> [12]
dev-security-policy mailing list

Reply via email to