All, Please find below the TLMC's resolution of Dark Matter's appeal.
-Ekr [for the TLMC] Introduction On December 28, 2017, Scott Rae on behalf of Dark Matter filed a bug [ https://bugzilla.mozilla.org/show_bug.cgi?id=1427262] asking for inclusion in the Mozilla Root store for four new trust anchors: - DarkMatter Root CA G3 - DarkMatter Root CA G4 - UAE Global Root CA G3 - UAE Global Root CA G4 A lengthy discussion of the inclusion request ensued on the mozilla.dev.security.policy list [ https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ], centering on allegations that Dark Matter and/or affiliated companies had engaged in offensive cyber operations and therefore might pose a risk to the integrity of the WebPKI. At the conclusion of the discussion, on July 9, 2019, Mozilla CA Certificate Policy Module Owner Wayne Thayer recommended (1) that the Dark Matter trust anchors not be included and (2) that the existing intermediate certificate authorities owned by Dark Matter be revoked. Module Peer Kathleen Wilson concurred. Dark Matter and it’s affiliate company Digital Trust LLC ) appealed [ https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/5P6myAgRDwAJ] to the Mozilla Board of Directors. However, as appeals in the module system are handled by the Mozilla TLMC [ https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership], the TLMC is responding to this appeal. Review Criteria The charter of the TLMC [ https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership] states: The Firefox Technical Leadership module (FTLM) is responsible for engineering coordination and escalation among the modules that make up Firefox, including ownership of the top-level module <https://wiki.mozilla.org/Modules/All#mozilla-toplevel>. The FTLM generally tries to avoid day-to-day involvement in operation of lower-level modules, but gets involved with decisions that are explicitly cross-module and with issues that cannot be resolved at lower levels, such as: - Resolution of decisions that do not fall clearly into any specific module or set of modules - Escalation of disputes beyond the module owner level We believe that this language (“tries to avoid day to day involvement”), as well as long Mozilla tradition, implies that the TLMC should apply a large degree of deference to the decisions made by the individual modules, overriding those decisions only in cases where the TLMC believes it is necessary, for example, because the decision was clearly wrong or the process which lead to that decision was substantially flawed. In this case in particular, there is an extensive question of fact which the Module Owner was required to assess and, in general, the TLMC should not be second guessing the Module Owner on such questions. CA Decision-Making Standard The Mozilla CA Policy clearly sets forth the standard which the Module owner is to apply for root inclusion: We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products. We will consider adding additional CA certificates to the default certificate set upon request only by an authorized representative of the subject CA. We will make such decisions through a public process. ... We reserve the right to not include certificates from a particular CA in our root program. This includes (but is not limited to) cases where we believe that a CA has caused undue risks to users’ security, e.g. by knowingly issuing certificates without the knowledge of the entities whose information is referenced in those certificates ('MITM certificates'). Mozilla is under no obligation to explain the reasoning behind any inclusion decision. (S 7.1) Similar language applies to the decision to remove or disable certificates: Mozilla MAY, at its sole discretion, decide to disable (partially or fully) or remove a certificate at any time and for any reason. This may happen immediately or on a planned future date. Mozilla will disable or remove a certificate if the CA demonstrates ongoing or egregious practices that do not maintain the expected level of service or that do not comply with the requirements of this policy. (S 7.3). This language makes two things clear: 1. These decisions are to be made based on an assessment of the risks of inclusion to our users. 2. The ultimate decisions are entirely discretionary. For these reasons, we would generally expect to defer to the module owner’s judgement unless we believed it was clearly wrong. Basis for the Module Owner’s Decision The Module Owner’s recommendation can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c95 The core of the rationale is that there are credible allegations of spying activity by Dark Matter: The question that I originally presented [1] to this community was about distrusting DarkMatter’s current intermediate CA certificates (6 total) based on credible evidence of spying activities by the company. The module owner concludes that the possibility that Dark Matter engaged in spying activity poses an unacceptable risk to our users: Mozilla’s principles should be at the heart of this decision. “The Mozilla Manifesto [10] states: Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.” And our Root Store policy states: “We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products.” In other words, our foremost responsibility is to protect individuals who rely on Mozilla products. I believe this framing strongly supports a decision to revoke trust in DarkMatter’s intermediate certificates. While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users. I will be opening a bug requesting the distrust of DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust. This rationale -- risk to our users -- is clearly at the heart of the reasons described in S 7.1 and 7.3 of Mozilla’s Root Store Policy. This leaves us with two questions (1) whether the module owner’s conclusion that the allegations were credible was reasonable and (2) whether the module owner’s conclusion that the allegations, if credible, posed a risk to our users was reasonable. In both cases, our conclusion is “yes”. Credibility of the Allegations There have been extensively reported allegations that DarkMatter was engaged in offensive cyber operations. While cybersecurity companies traditionally aim to ensure that the code in software and hardware is free of flaws — mistakes that malicious hackers can take advantage of — DarkMatter, according to sources familiar with the company’s activities, was trying to find and exploit these flaws in order to install malware. DarkMatter could take over a nearby surveillance camera or cellphone and basically do whatever it wanted with it — conduct surveillance, interfere with or change any electronic messages it emitted, or block the signals entirely. (Intercept, 2016) [ https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ ] Stroud had been recruited by a Maryland cybersecurity contractor to help the Emiratis launch hacking operations, and for three years, she thrived in the job. But in 2016, the Emiratis moved Project Raven to a UAE cybersecurity firm named DarkMatter. Before long, Stroud and other Americans involved in the effort say they saw the mission cross a red line: targeting fellow Americans for surveillance. ... Mansoor was convicted in a secret trial in 2017 of damaging the country’s unity and sentenced to 10 years in jail. He is now held in solitary confinement, his health declining, a person familiar with the matter said. Mansoor’s wife, Nadia, has lived in social isolation in Abu Dhabi. Neighbors are avoiding her out of fear security forces are watching. They are correct. By June 2017 Raven had tapped into her mobile device and given her the code name Purple Egret, program documents reviewed by Reuters show. To do so, Raven utilized a powerful new hacking tool called Karma, which allowed operatives to break into the iPhones of users around the world (Reuters 2019) [ https://www.reuters.com/investigates/special-report/usa-spying-raven/] DarkMatter states in its appeal that “The CEO of DarkMatter has also gone on the record with various media refuting the baseless and defamatory allegations”. This obviously creates a requirement to judge the relative credibility of the claims of DarkMatter versus that of the various news gathering organizations. In this context, it was not unreasonable for the Module Owner to treat these allegations, asserted by reputable news organizations, as credible and take them seriously. Risk to Our Users The question then becomes whether it is a potential risk to our users to allow DarkMatter to operate a certificate authority. At the heart of the question of whether an entity should be included in our root program is whether Mozilla can trust them to operate responsibly on behalf of the user. While it is not predetermined that an entity which has engaged in offensive cyberoperations would deliberately misissue certificates, it does not seem implausible either. The issue of corporate separation is raised as a potential mitigating factor here, namely that the certificate issuing operation is a different company from that which is allegedly performing offensive operations. However, as the Module Owner notes, they share owners: DarkMatter has argued [3] that their CA business has always been operated independently and as a separate legal entity from their security business. Furthermore, DarkMatter states that once a rebranding effort is completed, “the DarkMatter CA subsidiary will be completely and wholly separate from the DarkMatter Group of companies in their entirety.” However, in the same message, DarkMatter states that “Al Bannai is the sole beneficial shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al Bannai would remain the sole owner of the CA business. More recently, DarkMatter announced that they are transitioning all aspects of the business to DigitalTrust and confirmed that Al Bannai controls this entity. This ownership structure does not assure me that these companies have the ability to operate independently, regardless of their names and legal structure. This is not an unreasonable concern. In sum, we conclude that it was not unreasonable for the Module Owner to conclude that the allegations of misconduct by Dark Matter were credible and that if they were true then allowing DarkMatter into the root program posed an unacceptable risk to our users. Appeal Grounds As discussed above, taken alone we consider the Module owner’s decision reasonable. We now turn to the details of DigitalTrust’s appeal, which focuses largely on process rather than on the merits of the Module Owner’s decision. DigitalTrust/Dark Matter’s appeal is in 6 parts. For reference, we link to each part below along with its initial summary. Part 1: Conflict of Interest: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Qdfd3wgRDwAJ Part 2: Procedural Fairness/Bias: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XpW2-SwMDwAJ Part 3: Abuse of Discretionary Power https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Olr1NgoRDwAJ Part 4: Discriminatory Practices; https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YoUMUAoRDwAJ Part 5: Erroneous Legal Conclusions: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/bMRuZwoRDwAJ Part 6: Violation of Anti-Trust Laws: https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VFc1fwoRDwAJ We do not believe that the TLMC is an appropriate body to consider part 6, and therefore we considered only parts 1-5. Part 1: Conflict of Interest The appeal reads, in part: The Module Owner failed to recognize, or blatantly ignored, undisclosed Conflict of Interests posed by certain participants (including Mozilla Staff) who represent for-profit corporations with a significant (including, but not limited, to global market dominance and monopolization power) economic interest in the outcome of the Applicant’s Root Inclusion, and the distorting impact of such Conflict of Interests on the Module Owner’s discretionary decision. a) The Mozilla Corporation is a wholly-owned for-profit subsidiary of the Mozilla Foundation. The for-profit Mozilla Corporation provides internet based browser software and other related services. Access to the entire global internet traffic is controlled by four (4) Browser Root Stores (Mozilla Corporation, Google, Microsoft and Apple). Two of these commercial Browser Root Stores are the most significant search engine providers on the internet, and therefore have a substantial economic interest in the global Certificate Authority business (including in the United Arab Emirates). Approximately 93% to 94% of Mozilla Corporation’s revenues are derived from such search engine providers. [3] b) The Module Owner is employed by the for-profit Mozilla Corporation as a Certificate Authority Program manager. Key Mozilla staff who are involved in framing the negative media feedback about the Root Inclusion are also employed by the for-profit Mozilla Corporation. [4] Key CA/Policy participants in the Mozilla CA Module are also employed by other commercial Certificate Authorities/or Browser Stores which have a significant economic stake in the Root Inclusion decision [5]. c) In light of the above, the Module Owner had a responsibility to ensure that any Conflict of Interests by any participants in the Root Inclusion discussions are clarified for the record so that undisclosed interests (including economic market domination and monopolization of the global Certificate Authority business ecosystem) which may distort the Module Owner’s decision making process are publicly disclosed for interested media, the general public, and global trade/competition regulators. There are two claims here, first that the the participants in the discussion have a conflict of interest and second that the Module Owner has a conflict of interest. The first claim misunderstands the structure of the process, which is one of open input but not consensus decision making. In this process, the Module Owner takes in input and uses it in whatever form they deem necessary to make their recommendation/decision. Thus, it is not necessary that participants publicly disclose conflicts. With that said, we note that the affiliations of many of the discussion participants are clearly listed on the wiki [https://wiki.mozilla.org/CA/Policy_Participants ]. The second claim is that the Module Owner has a conflict because he is employed by Mozilla Corporation and Mozilla Corporation derives its revenue primarily from search engine providers who also happen to be certificate authorities. Given the large existing size of the CA market and the existence of a free certificate authority in the form of Let’s Encrypt, the link from a potential Google desire to avoid a new entrant to the CA market to a conflict of interest by a Mozilla employee seems tenuous at best. Therefore, we do not consider this a significant process issue. Part 2: Procedural Fairness/Bias The appeal states: The Module Owner’s decision making activities, and the supporting actions of other Mozilla staff, were not procedurally fair, transparent, absent of bias, nor made in good-faith. a) The Applicants are headquartered in the United Arab Emirates, and have wholly-owned subsidiaries domiciled in Canada and the European Union. The Applicants conduct all of their business strictly in accordance with the laws of the jurisdictions in which they operate and continue to do so. Over the past three and half (3.5) years, the Applicants have successfully completed two (2) Web Trust public audits verifying that the Applicants CA business is operating in accordance with the technical standards stipulated within Mozilla Root Store Policy and the latest version of the CA/Browser Forum Requirements for the Issuance and Management of Publicly-Trusted Certificates. Furthermore, the Applicants have been ISO9001 and ISO27001 certified in their quality and information systems management as an independent verification of the management controls and governance in place for the operations of the business itself. b) To-date the Applicants have not been cited for any non-compliance with the laws of the jurisdictions in which they operate, and there has never been any credible evidence of their malfeasance in any form or shape whatsoever. c) Notwithstanding the above, by directly asserting and attributing a false innuendo of “MitM Certificates” to the Applicants’ intention, the Module Owner deliberately framed the public discussion about the merits of the Root Inclusion requests in a significantly detrimental manner from the outset. As with Part 1, this misunderstands the purpose of the open discussion, which is to provide the Module Owner with the information they need to make a decision, not to form a community consensus with the Module Owner as an impartial arbiter. Moreover, we don’t agree that the framing was unfair. The relevant text is: The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CAs found to have issued MitM certificates [6][7]. We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. This paragraph provides the Module Owner’s rationale for why he is considering distrust and invites the community to comment on the matter. This properly frames the matter on which community input is desired and we do not believe biases the discussion. Part 3: Abuse of Discretionary Power The appeal reads: The Module Owner’s failure to consider relevant factors that should have been given significant, or equal weight, and deliberate mischaracterizations of facts intended to inflate the perceived risks of the Root Inclusion, resulted in an abuse of discretionary power. This claim is addressed in the analysis above. We believe that the Module Owner’s decision was within their discretion. Part 4: Discriminatory Practices The appeal reads: The Module Owner conducted his decision making process, and allowed the distrust discussion to proceed, in a manner contrary to the Mozilla Foundation commitment to an “Internet that includes all the peoples of the earth – where a person demographic characteristics do not determine their online access, opportunities, or quality of experience”. a) The Applicants notified Mozilla of their Root Inclusion request in December of 2017. All TLS certificates (both EV and OV) were logged to CT. The Applicants completed Webtrust certification for CA, for BRs, and for EV in October 2017, and submitted the United Arab Emirates Global Roots as well as the Applicants’ own Commercial Roots to Mozilla for inclusion. In October 2018, the Applicants completed their second year of the required WebTrust Audits for CA, BRs, and EV and provided the same to Mozilla for inclusion with their root submission. Mozilla completed a successful Policy/Process review of and technical review of the UAE Global Roots and the Applicants’ Commercial Roots in January of 2019. Notwithstanding the above, nowhere in his decision, nor in the call for distrust, did the Module Owner provide any weight on the Applicants exemplary conduct in the CA community as reflected in their WebTrust audits over the period of time leading up to the distrust discussion. In February of 2019, citing the disputed Reuters articles, the Module Owner, and Mozilla staff began the distrust of the UAE Global Roots, including the Applicants’ Commercial Roots, and implicitly put into question the right of the United Arab Emirates to operate its existing public trust subordinate CAs through a commercial party located in the United Arab Emirates. This section of the appeal rests on two misconceptions. First, DarkMatter cites its completion of WebTrust audits as evidence of suitability, but these audits are a floor, not a ceiling, and the ultimate decision needs to be based on a judgement of risk, not a mechanical evaluation of audit compliance. This is made clear in section 7.1 of Mozilla’s Root Store Policy. Second, this Policy as written is focused entirely on the benefit of users, not of nation states to operate their own trust anchor. While there would potentially be concern if UAE citizens were unable to obtain certificates, this does not appear to be so. As made clear in the Module Owner’s decision, DigitalTrust is welcome to become ‘a “managed” subordinate CA under the oversight of an existing trusted CA that retains control of domain validation and the private keys.’ We consider it a reasonable conclusion on the part of the Module Owner that this adequately addresses the needs of UAE citizens for localized issuance. Part 5: Erroneous Legal Conclusions The appeal reads: a) Digital Trust is an affiliate of DarkMatter and has never been owned by it as a subsidiary since its incorporation in April 2016. Both companies are subsidiaries of their parent company, Dark Matter Investments. The Applicants have provided the necessary legal documents to Mozilla, and have further disclosed all ultimate beneficial shareholders in a transparent manner. ... It is a fundamental principle of law that corporations have a statutory personality distinct from their shareholders. If taken at face value, the Module Owner’s erroneous assertion would imply that even the Mozilla Foundation and the Mozilla Corporation do not have the ability to operate independently, regardless of their names and legal structure. It should be noted that a number of CAs, e.g. Google and Sectigo, have complicated ownership structures and this is not cited in their ability to operate independently. We note that to-date that the Module Owner has not made this type of claim against any other Mozilla Root Store participant. Unless the above reasoning is held to be an Erroneous Legal Conclusion made by the Module Owner this would be, in our view, another new standard that will be discriminatorily applied only to the Applicants, solely on the basis of incorporation and residence in the United Arab Emirates. In our view this confuses a legal standard with a practical standard. The relevant practical question is whether any (alleged) malfeasance by one of a pair of sibling companies reflects on another of the pair. In light of the described structure, this appears to be a reasonable conclusion for the Module Owner to have made. Conclusion Upon review, the TLMC believes that the Module Owner acted reasonably in recommending the distrust of the existing DarkMatter roots and the denial of their application. The appeal is denied. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy