A formal appeal has been filed with the Mozilla Foundation Board of Directors.  
In the spirit of transparency, we will be posting the contents of the Appeal to 
this forum in six (6) separate messages.

Benjamin Gabriel

Benjamin Gabriel | General Counsel & SVP Legal
Tel: +971 2 417 1417 | Mob: +971 55 260 7410

The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and destroy any copies of this information.

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Kathleen Wilson via dev-security-policy
Sent: Tuesday, July 16, 2019 8:20 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DarkMatter Concerns

Caution: This email originated from outside DarkMatter. Do not click links or 
open attachments unless you recognize the sender and believe the content is 



Thanks again to all of you who have been providing thoughtful and constructive 
input into this discussion. As I previously indicated [1], this has been a 
difficult decision to make. I have been carefully reading and contemplating the 
input that you all have been providing in this forum.

I concur with Wayne’s recommendation [2] to add DarkMatter’s existing 
intermediate certificates to OneCRL 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1564544), and decline 
DarkMatter’s root inclusion request 
(https://bugzilla.mozilla.org/show_bug.cgi?id=1427262). I will update those 
bugs to reflect my decision to distrust the intermediate certs and to decline 
the root inclusion request.

I also concur with Wayne that DarkMatter (a.k.a DigitalTrust) is welcome to be 
a “managed” subordinate CA under the oversight of an existing trusted CA that 
retains control of domain validation and the private keys.

Below are some additional comments I would like to share.

I was intrigued by Matthew’s FICO score analogy [3] demonstrating that bias 
should be removed from the decision making process. I agree with Gijs’ 
suggestion [4] that a more applicable analogy is being a guarantor on a large 
loan. As Gijs’ said: you should never “be a guarantor for anybody unless you're 
very, very sure of that person, because you have effectively no recourse if the 
debtor leaves you holding the bag.” If I had thought of myself (or Mozilla) as 
a guarantor of the CNNIC CA, then all of the concerns that people had raised 
about CNNIC during their root inclusion request would have enabled me to say 
that I was not confident that CNNIC would continue to fulfill their commitments 
as a CA in Mozilla’s program. That could have prevented the difficulties that 
arose when the CNNIC root was used to mis-issue TLS certificates that were 
subsequently used for MiTM.

Some of you have pointed out that Mozilla needs to provide more oversight and 
scrutiny of subordinate CAs, and I fully agree with you.
With over 3,000 subordinate CA certificates chaining to root certificates in 
Mozilla’s program, we need automation to extend checks and balances to all of 
them. I have been working towards this via the Common CA Database (CCADB) [5]. 
The good news is that most of the subordinate CAs in Mozilla’s program are 
“managed” subordinate CAs, which means that the root CA retains control of the 
private keys and domain validation. As Wayne mentioned, we are also working on 
improving our policy and process to provide better oversight of the other, 
“externally-operated”, subordinate CAs[6,7].


[5] https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/
[7] https://github.com/mozilla/pkipolicy/issues/169

dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to