Message Body (4 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS

1) Discriminatory Practices;

The Module Owner conducted his decision making process, and allowed the 
distrust discussion to proceed, in a manner contrary to the Mozilla Foundation 
commitment to an “Internet that includes all the peoples of the earth – where a 
person demographic characteristics do not determine their online access, 
opportunities, or quality of experience”.

a) The Applicants notified Mozilla of their Root Inclusion request in December 
of 2017. All TLS certificates (both EV and OV) were logged to CT.  The 
Applicants completed Webtrust certification for CA, for BRs, and for EV in 
October 2017, and submitted the United Arab Emirates Global Roots as well as 
the Applicants’ own Commercial Roots to Mozilla for inclusion.  In October 
2018, the Applicants completed their second year of the required WebTrust 
Audits for CA, BRs, and EV and provided the same to Mozilla for inclusion with 
their root submission. Mozilla completed a successful Policy/Process review of 
and technical review of the UAE Global Roots and the Applicants’ Commercial 
Roots in January of 2019.  Notwithstanding the above, nowhere in his decision, 
nor in the call for distrust, did the Module Owner provide any weight on the 
Applicants exemplary conduct in the CA community as reflected in their WebTrust 
audits over the period of time leading up to the distrust discussion.

In February of 2019, citing the disputed Reuters articles, the Module Owner, 
and Mozilla staff began the distrust of the UAE Global Roots, including the 
Applicants’ Commercial Roots, and implicitly put into question the right of the 
United Arab Emirates to operate its existing public trust subordinate CAs 
through a commercial party located in the United Arab Emirates.

b) The distrust discussion marked a significant departure from the existing 
Mozilla process, in that the Module Owner had now abandoned the reliance on 
technical compliance and any qualification of the CA or its ability to 
demonstrate compliant operations.

> Some, including DarkMatter representatives, have declared the need to examine 
> and
> consider the benefits of having DarkMatter as a trusted CA. However, last 
> year we
> changed our policy to replace the weighing of benefits and risks with “based 
> on the
> risks of such inclusion to typical users of our products.” [1]

The new standard which the Module Owner has now discriminatorily applied solely 
to the UAE Global Roots and the Applicants’ Commercial Roots appears to be on 
the hypothetical and unfounded basis of what the Applicants may allegedly do in 
the future.

All of the facts lead would lead an objective person to conclude that the 
Module Owner has established a dangerous precedent that he wishes to 
discriminatorily apply only to the Applicants, solely on the basis of 
incorporation and residence in the United Arab Emirates.

c) Notwithstanding the Module Owner’s comments about safeguarding the typical 
users of Mozilla products, and in regards to the false and unsubstantiated 
allegation that the Applicants have engaged in spying activities (which the 
Applicants have repeatedly indicated they do not do); other participants have 
highlighted that a number of other companies, who currently provide offensive 
security and surveillance related services have been enrolled in the Mozilla 
Root Program for a number of years. [2]

Notwithstanding the Module Owner’s assertion (in his decision) that “our 
foremost responsibility is to protect individuals who rely on Mozilla 
products”, to-date the Module Owner has not contemplated or triggered a 
distrust discussion against any of these parties.

If, in fact, this decision is truly motivated by the issue of “trust” and the 
protection of individuals (rather than the creation of additional barriers that 
preserve incumbent parties continued market domination and monopolization), we 
call on the Mozilla Foundation to apply the same standard that the Module Owner 
wishes to apply to the Applicants, and immediately start the process of 
distrust discussion for all CAs in the Mozilla Root Store who are either 
affiliated, directly, or indirectly, involved or even alleged to be in the 
business of offensive security and surveillance.

d) Furthermore, In accordance with the Mozilla “commitment to an internet that 
elevates critical thinking, reasoned arguments, shared knowledge, and 
verifiable facts”, we are of the view that the Module Owner failed in his 
fiduciary responsibility to moderate the distrust discussions, and reject 
public assertions that magnified divisive stereotypes about the United Arab 
Emirates and the Applicants.

The Module Owner would have, or should have known, that by remaining silent in 
the face of discriminatory and divisive comments about the United Arab Emirates 
and the Applicants, while at the same time continually highlighting the alleged 
and disputed Reuters’ articles without mentioning the lack of “verifiable 
facts”, the Applicants would be discriminatorily hampered in presenting their 
case for inclusion.

[1] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ
[2] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/M_Yj5vwrDQAJ


Benjamin Gabriel | General Counsel & SVP Legal
Tel: +971 2 417 1417 | Mob: +971 55 260 7410
benjamin.gabr...@darkmatter.ae

The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you received this 
in error, please contact the sender and destroy any copies of this information.








_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to