The bug requesting that the existing subordinate CAs be added to OneCRL is https://bugzilla.mozilla.org/show_bug.cgi?id=1564544
On Tue, Jul 9, 2019 at 8:31 AM Wayne Thayer <wtha...@mozilla.com> wrote: > I would like to thank everyone for their constructive input on this > difficult issue. I would also like to thank DarkMatter representatives for > participating in the open, public discussion. I feel that the discussion > has now, after more than 4 months, run its course. > > The question that I originally presented [1] to this community was about > distrusting DarkMatter’s current intermediate CA certificates (6 total) > based on credible evidence of spying activities by the company. While a > decision to revoke trust in these intermediates would likely result in a > denial of DarkMatter’s root inclusion request [2], the public discussion > for that request has not yet begun. A decision not to revoke these > intermediates does not necessarily mean that the inclusion request will be > approved. > > Some of this discussion has revolved around compliance issues, the most > prominent one being the serial number entropy violations discovered by > Corey Bonnell. While these issues would certainly be a consideration when > evaluating a root inclusion request, they are not sufficient to have > triggered an investigation aimed at revoking trust in the DarkMatter > intermediates or QuoVadis roots. Therefore, they are not relevant to the > question at hand. > > Much of the discussion has been about the desire for inclusion and > distrust decisions to be made based on objective criteria that must be > satisfied. However, if we rigidly applied our existing criteria, we would > deny most inclusion requests. As I stated earlier in this thread, every > distrust decision has a substantial element of subjectivity. One can argue > that we’re discussing a different kind of subjectivity here, but it still > amounts to a decision being made based on a collective assessment of all > the information at hand rather than a checklist. > > Some, including DarkMatter representatives [3], have declared the need to > examine and consider the benefits of having DarkMatter as a trusted CA. > However, last year we changed our policy to replace the weighing of > benefits and risks with “based on the risks of such inclusion to typical > users of our products.” [4] > > Perhaps the most controversial element in this discussion has been the > consideration of “credible evidence”. The first component is the inherent > uncertainty over what is “credible”, especially in this day and age. While > it has been pointed out that respected news organizations are not beyond > reproach [5], having four independent articles [6][7][8][9] from reputable > sources published years apart does provide some indication that the > allegations are credible. These articles are also extensively sourced. > > If we assume for a second that these allegations are true, then there is > still a sincere debate over what role they should play in our decision to > trust DarkMatter as a CA. The argument for considering these allegations is > akin to the saying “where there’s smoke there’s fire”, while the argument > against can be described as “innocent until proven guilty”. > > DarkMatter has argued [3] that their CA business has always been operated > independently and as a separate legal entity from their security business. > Furthermore, DarkMatter states that once a rebranding effort is completed, > “the DarkMatter CA subsidiary will be completely and wholly separate from > the DarkMatter Group of companies in their entirety.” However, in the same > message, DarkMatter states that “Al Bannai is the sole beneficial > shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al > Bannai would remain the sole owner of the CA business. More recently, > DarkMatter announced that they are transitioning all aspects of the > business to DigitalTrust and confirmed that Al Bannai controls this entity. > This ownership structure does not assure me that these companies have the > ability to operate independently, regardless of their names and legal > structure. > > Mozilla’s principles should be at the heart of this decision. “The Mozilla > Manifesto [10] states: > > Individuals’ security and privacy on the internet are fundamental and must > not be treated as optional.” > > And our Root Store policy states: “We will determine which CA certificates > are included in Mozilla's root program based on the risks of such inclusion > to typical users of our products.” > > In other words, our foremost responsibility is to protect individuals who > rely on Mozilla products. I believe this framing strongly supports a > decision to revoke trust in DarkMatter’s intermediate certificates. While > there are solid arguments on both sides of this decision, it is reasonable > to conclude that continuing to place trust in DarkMatter is a significant > risk to our users. I will be opening a bug requesting the distrust of > DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also > recommend denial of the pending inclusion request, and any new requests > from DigitalTrust. > > In the past, we’ve seen CAs attempt to make an end run around adverse > trust decisions - through an acquisition, a shell company, etc. We will > treat any such attempt as a violation of this decision and act accordingly. > Mozilla does welcome DigitalTrust as a “managed” subordinate CA under the > oversight of an existing trusted CA that retains control of domain > validation and the private keys. > > This discussion has highlighted an opportunity to improve our review of > new externally-operated subordinate CAs [11]. This issue [12] is part of > the current policy update discussions. > > Wayne > > [1] > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/mJ0EV2eoCgAJ > [4] > https://groups.google.com/d/msg/mozilla.dev.security.policy/58F6FgeGOz8/Zzb-r76wBQAJ > [5] > https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ > [6] > https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ > [7] https://www.reuters.com/investigates/special-report/usa-spying-raven/ > [8] > https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html > [9] https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/ > [10] https://www.mozilla.org/en-US/about/manifesto/ > [11] > https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits > [12] https://github.com/mozilla/pkipolicy/issues/169 > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
