Message Body (3 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS

1) Abuse of Discretionary Power:

The Module Owner’s failure to consider relevant factors that should have been 
given significant, or equal weight, and deliberate mischaracterizations of 
facts intended to inflate the perceived risks of the Root Inclusion, resulted 
in an abuse of discretionary power.

a) The Module Owner, and Mozilla staff, have repeatedly indicated that the 
decision to distrust the Root Inclusion has been predicated on “credible 
evidence” as reported in the misleading Reuters articles (including those 
articles where Mozilla staff are quoted as news-makers), and on the totality of 
the information to be provided.

> “Much of the discussion has been about the desire for inclusion and distrust
> decisions to be made based on objective criteria that must be satisfied. 
> However,
> if we rigidly applied our existing criteria, we would deny most inclusion 
> requests.
> As I stated earlier in this thread, every distrust decision has a substantial 
> element of subjectivity.
> One can argue that we are discussing a different kind of subjectivity here, 
> but it still
> amounts to a decision being made on a collective assessment of all the 
> information
> at hand rather than a checklist.” [1]

The Applicants have repeatedly challenged the misleading Reuters articles as 
being based on a singular false and defamatory allegation. The CEO of 
DarkMatter formally, and publicly, communicated to the Module Owner by letter 
dated 26 February, 2019 refuting the misleading Reuters articles. [2]    The 
CEO of DarkMatter has also gone on the record with various media refuting the 
baseless and defamatory allegations. [3]

Notwithstanding to the assertions for a decision “made on a collective 
assessment of all the information at hand”, the Module Owner, and Mozilla 
staff, have blatantly ignored, or failed to acknowledge and consider, any of 
the information provided by the Applicants to-date. On the other hand, the 
Module Owner has been less than impartial in his approach, consistently (in our 
view) minimizing the Applicants’ information, or public comments supporting the 
Applicants, while highlighting only those false, and disputed articles that 
push a hidden agenda against the United Arab Emirates and the Applicants. [4]

b) Since the Module Owner has singularly defined the purpose of the Root 
Inclusion discussions as a necessary requirement for the protection of the 
security and privacy of individuals, the Applicants provided concrete evidence 
demonstrating that their work since the very inception of the company, is 
fundamentally aligned with the goals of the Mozilla Manifesto. The Applicants 
further made a standing offer, for the Mozilla organization and other media 
parties to visit the United Arab Emirates to see directly for themselves the 
work being conducted by the Applicants.

More specifically, the Applicants have provided several recent examples of 
their pro-bono activities to the Module Owner with information regarding how 
critical security responsible disclosures are made by the Applicants and their 
affiliated companies, and which directly align with Mozilla’s principles to 
ensure that the internet, and other digital products, are safe for all users 
worldwide. E.g.:

-  Pgpool – PgPoolAdmin Responsible Disclosure [5]
-  Cisco - IP Phone Responsible Disclosure [6] [7]
-  Sony - Smart TV Responsible Disclosure [8]
-  FoxitSoftware - Foxit Reader Responsible Disclosure [9]
-  Samsung - S Family Responsible Disclosure [10]
-  LibreNMS Responsible Disclosure [11] [12] [13]
-  ABB - HMI Responsible Disclosure [14] [15] [16]

Notwithstanding the above, the Module Owner has either blatantly ignored, or 
failed to acknowledge and consider, any of the above information provided, or 
the invitations accorded, by the Applicants to-date, in making his decision.

c) In addition to attributing a false innuendo of “MitM Certificates” to the 
Applicants’ intention, the Module Owner has deliberately continued to 
mischaracterize the facts in a manner that is intended to overinflate the 
perceived risks of the Root Inclusion to the public at large.

> “The question that I originally presented to this community was about 
> distrusting
> DarkMatter’s current intermediate CA Certificates (6 total) based on credible 
> evidence
> of spying activities by the company.” [17]

The Module Owner is well aware that the original 3 intermediate CA Certificates 
(one for EV, one for OV, and one for Client Certificates) that were crated for 
public trust issuance within the UAE national PKI were name constrained and had 
already been revoked by QuoVadis/Digicert. [18]  A decision this significant 
should be based on accurate facts, and not on the sort of mischaracterization 
that overinflates the risk.

Considering that a number of community participants, including Ryan Sleevi, a 
Mozilla CA Module participant employed by Google, have tried to justify any 
technical non-compliance as a support a revocation of the Applicants Root 
Inclusion (while conveniently ignoring the millions of users that put at risk 
due to the same serial entropy violations of his own employer Google) [19], the 
Module Owner would have, or should have, known that these types of 
mischaracterizations, when made in the process of rendering a discretionary 
decision, would continue to dramatically overstate the risks posed and 
prejudicially impact the Root Inclusion in a detrimental manner.

We call on Mozilla to define the basis and weighting of the new discretionary 
criterion being applied to the Applicants, we invite Mozilla to additionally 
consider a fact-based due process to inform their criterion, and continue to 
extend our invitation to Mozilla to visit the Applicants and have unrestricted 
access to management and communities to learn first-hand about the work we do.

[1] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ
[2] https://bug1427262.bmoattachments.org/attachment.cgi?id=9046699
[3] 
https://www.cnbc.com/video/2019/06/17/darkmatter-ceo-we-do-not-spy-on-uae-citizens.html
[4] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/t1SL5N-BBwAJ
[5] http://www.pgpool.net/pipermail/pgpool-committers/2018-December/005399.html
[6] 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce
[7] 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisooy/cisco-sa-20190703-ip-phone-sip-dos
[8] https://www.sony.com/electronics/support/downloads/00016213
[9] https://www.foxitsoftware.com/support/security-bulletins.php
[10] https://security.samsungmobile.com/securityUpdate.smsb
[11] https://github.com/librenms/librenms/pull/10276
[12] https://github.com/librenms/librenms/pull/10270
[13] https://github.com/librenms/librenms/pull/10091
[14] 
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch
[15] 
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch
[16] 
https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch
[17] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ
[18] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/8rN_X-0QBgAJ
[19] 
https://www.thesslstore.com/blog/mass-revocation-millions-of-certificates-revoked-by-apple-google-godaddy/



Benjamin Gabriel | General Counsel & SVP Legal
Tel: +971 2 417 1417 | Mob: +971 55 260 7410
benjamin.gabr...@darkmatter.ae

The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and destroy any copies of this information.








_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to