Message Body (3 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Abuse of Discretionary Power:
The Module Owner’s failure to consider relevant factors that should have been given significant, or equal weight, and deliberate mischaracterizations of facts intended to inflate the perceived risks of the Root Inclusion, resulted in an abuse of discretionary power. a) The Module Owner, and Mozilla staff, have repeatedly indicated that the decision to distrust the Root Inclusion has been predicated on “credible evidence” as reported in the misleading Reuters articles (including those articles where Mozilla staff are quoted as news-makers), and on the totality of the information to be provided. > “Much of the discussion has been about the desire for inclusion and distrust > decisions to be made based on objective criteria that must be satisfied. > However, > if we rigidly applied our existing criteria, we would deny most inclusion > requests. > As I stated earlier in this thread, every distrust decision has a substantial > element of subjectivity. > One can argue that we are discussing a different kind of subjectivity here, > but it still > amounts to a decision being made on a collective assessment of all the > information > at hand rather than a checklist.” [1] The Applicants have repeatedly challenged the misleading Reuters articles as being based on a singular false and defamatory allegation. The CEO of DarkMatter formally, and publicly, communicated to the Module Owner by letter dated 26 February, 2019 refuting the misleading Reuters articles. [2] The CEO of DarkMatter has also gone on the record with various media refuting the baseless and defamatory allegations. [3] Notwithstanding to the assertions for a decision “made on a collective assessment of all the information at hand”, the Module Owner, and Mozilla staff, have blatantly ignored, or failed to acknowledge and consider, any of the information provided by the Applicants to-date. On the other hand, the Module Owner has been less than impartial in his approach, consistently (in our view) minimizing the Applicants’ information, or public comments supporting the Applicants, while highlighting only those false, and disputed articles that push a hidden agenda against the United Arab Emirates and the Applicants. [4] b) Since the Module Owner has singularly defined the purpose of the Root Inclusion discussions as a necessary requirement for the protection of the security and privacy of individuals, the Applicants provided concrete evidence demonstrating that their work since the very inception of the company, is fundamentally aligned with the goals of the Mozilla Manifesto. The Applicants further made a standing offer, for the Mozilla organization and other media parties to visit the United Arab Emirates to see directly for themselves the work being conducted by the Applicants. More specifically, the Applicants have provided several recent examples of their pro-bono activities to the Module Owner with information regarding how critical security responsible disclosures are made by the Applicants and their affiliated companies, and which directly align with Mozilla’s principles to ensure that the internet, and other digital products, are safe for all users worldwide. E.g.: - Pgpool – PgPoolAdmin Responsible Disclosure [5] - Cisco - IP Phone Responsible Disclosure [6] [7] - Sony - Smart TV Responsible Disclosure [8] - FoxitSoftware - Foxit Reader Responsible Disclosure [9] - Samsung - S Family Responsible Disclosure [10] - LibreNMS Responsible Disclosure [11] [12] [13] - ABB - HMI Responsible Disclosure [14] [15] [16] Notwithstanding the above, the Module Owner has either blatantly ignored, or failed to acknowledge and consider, any of the above information provided, or the invitations accorded, by the Applicants to-date, in making his decision. c) In addition to attributing a false innuendo of “MitM Certificates” to the Applicants’ intention, the Module Owner has deliberately continued to mischaracterize the facts in a manner that is intended to overinflate the perceived risks of the Root Inclusion to the public at large. > “The question that I originally presented to this community was about > distrusting > DarkMatter’s current intermediate CA Certificates (6 total) based on credible > evidence > of spying activities by the company.” [17] The Module Owner is well aware that the original 3 intermediate CA Certificates (one for EV, one for OV, and one for Client Certificates) that were crated for public trust issuance within the UAE national PKI were name constrained and had already been revoked by QuoVadis/Digicert. [18] A decision this significant should be based on accurate facts, and not on the sort of mischaracterization that overinflates the risk. Considering that a number of community participants, including Ryan Sleevi, a Mozilla CA Module participant employed by Google, have tried to justify any technical non-compliance as a support a revocation of the Applicants Root Inclusion (while conveniently ignoring the millions of users that put at risk due to the same serial entropy violations of his own employer Google) [19], the Module Owner would have, or should have, known that these types of mischaracterizations, when made in the process of rendering a discretionary decision, would continue to dramatically overstate the risks posed and prejudicially impact the Root Inclusion in a detrimental manner. We call on Mozilla to define the basis and weighting of the new discretionary criterion being applied to the Applicants, we invite Mozilla to additionally consider a fact-based due process to inform their criterion, and continue to extend our invitation to Mozilla to visit the Applicants and have unrestricted access to management and communities to learn first-hand about the work we do. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ [2] https://bug1427262.bmoattachments.org/attachment.cgi?id=9046699 [3] https://www.cnbc.com/video/2019/06/17/darkmatter-ceo-we-do-not-spy-on-uae-citizens.html [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/t1SL5N-BBwAJ [5] http://www.pgpool.net/pipermail/pgpool-committers/2018-December/005399.html [6] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce [7] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisooy/cisco-sa-20190703-ip-phone-sip-dos [8] https://www.sony.com/electronics/support/downloads/00016213 [9] https://www.foxitsoftware.com/support/security-bulletins.php [10] https://security.samsungmobile.com/securityUpdate.smsb [11] https://github.com/librenms/librenms/pull/10276 [12] https://github.com/librenms/librenms/pull/10270 [13] https://github.com/librenms/librenms/pull/10091 [14] https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch [15] https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch [16] https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch [17] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ [18] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/8rN_X-0QBgAJ [19] https://www.thesslstore.com/blog/mass-revocation-millions-of-certificates-revoked-by-apple-google-godaddy/ Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
