Thanks again to all of you who have been providing thoughtful and constructive input into this discussion. As I previously indicated [1], this has been a difficult decision to make. I have been carefully reading and contemplating the input that you all have been providing in this forum.

I concur with Wayne’s recommendation [2] to add DarkMatter’s existing intermediate certificates to OneCRL (, and decline DarkMatter’s root inclusion request ( I will update those bugs to reflect my decision to distrust the intermediate certs and to decline the root inclusion request.

I also concur with Wayne that DarkMatter (a.k.a DigitalTrust) is welcome to be a “managed” subordinate CA under the oversight of an existing trusted CA that retains control of domain validation and the private keys.

Below are some additional comments I would like to share.

I was intrigued by Matthew’s FICO score analogy [3] demonstrating that bias should be removed from the decision making process. I agree with Gijs’ suggestion [4] that a more applicable analogy is being a guarantor on a large loan. As Gijs’ said: you should never “be a guarantor for anybody unless you're very, very sure of that person, because you have effectively no recourse if the debtor leaves you holding the bag.” If I had thought of myself (or Mozilla) as a guarantor of the CNNIC CA, then all of the concerns that people had raised about CNNIC during their root inclusion request would have enabled me to say that I was not confident that CNNIC would continue to fulfill their commitments as a CA in Mozilla’s program. That could have prevented the difficulties that arose when the CNNIC root was used to mis-issue TLS certificates that were subsequently used for MiTM.

Some of you have pointed out that Mozilla needs to provide more oversight and scrutiny of subordinate CAs, and I fully agree with you. With over 3,000 subordinate CA certificates chaining to root certificates in Mozilla’s program, we need automation to extend checks and balances to all of them. I have been working towards this via the Common CA Database (CCADB) [5]. The good news is that most of the subordinate CAs in Mozilla’s program are “managed” subordinate CAs, which means that the root CA retains control of the private keys and domain validation. As Wayne mentioned, we are also working on improving our policy and process to provide better oversight of the other, “externally-operated”, subordinate CAs[6,7].


[1] [2] [3] [4]

dev-security-policy mailing list

Reply via email to