Hello: Thanks again for your answers to my questions and echoing Kathleen I also appreciate the discussion.
I just wanted to maybe summarize a bit of what I've learned from this so far so we can make sure I haven't misunderstood anything and let TrustCor correct anything I'm mistaken about both for me and the community. Thus this list that follows should be interpreted as "is it correct to say that ... ?", not claims that I am asserting. (i) The Panama open corporate records were accurate in 2020 and earlier, but at some point in 2021 have changed. The partners were CHIVALRIC HOLDING COMPANY, LLC and FRIGATE BAY HOLDING, LLC. These are registered in Panama. (ii) These companies are also partners for Measurement Systems S. De R. L. (iii) The CHIVALRIC HOLDING COMPANY, LLC has no relation to the Chivalric Holding Company LLC registered in New Mexico formed Sept 2020 dissolved June 2022 with officer Vito Piacente, unless the relation is due to an attack against TrustCor. (iv) The FRIGATE BAY HOLDING, LLC has no relation to Frigate Bay Holdings LLC (the latter having an "s" in holdings and no comma) registered in Wyoming formed Sept 2020 dissolved June 2022 with officer Vito Piacente and manager Raymond Saulino, again unless the relation is due to an attack against TrustCor. (v) Software produced by Measurement Systems was inserted by a rogue developer into the Msgsafe app and that developer operated outside their authorization; this inclusion was not sanctioned. (vi) The Msgsafe website is implemented where the key material and PGP/SMIME encryption/decryption processing is performed on Msgsafe servers, with industry standard TLS used to secure the connection from the browser to Msgsafe servers. (vii) Typosquatting was done intentionally for similar email products, encrypted and otherwise, in 2016. But this was not done maliciously and no users were intentionally mislead about where they ended up. (viii) TrustCor is not a Canadian company, in that the TrustCor CA does not have any company in Canada, filings in Canada, etc. Again, these are how I'm interpreting TrustCor's response and I could very well be wrong, so please let me know. I have a few more follow up questions: (q1) The TrustCor website as I visit it now from my office at the University of Calgary states that: "TrustCor is a Panamanian registered company, with technical operations in one of the most secure, privacy oriented jurisdictions in the world. Traditional safe havens do not even come close to the protection offered by Curaçao's strict privacy laws." It does not actually say that technical operations are in Curacao, but that is how I had interpreted it. Assuming the privacy oriented jurisdiction being referenced by the paragraph is Arizona, why is Curacao part of that paragraph? Note this is TrustCor's website, not Msgsafe. (q2) This website: https://www.dnb.com/business-directory/company-profiles.measurement_systems_s_de_rl.fe1d33ee8c1ff9a19bcc9c5b877cb483.html refers to Measurement Systems S de RL having as key principal Ryan Abramowitz. I haven't used dnb.com before, I have absolutely no idea where they source their data or if their data is any good. There is also no certainty that the Ryan Abramowitz is the same as the Ryan Abramowitz who is the co-founder's son. But it returns back to this theme of coincidences. So I guess as clarifications: did TrustCor's founder Ian Abramowitz or his son Ryan Abramowitz ever act as a representative for Measurement Systems or for its partners, namely CHIVALRIC HOLDING COMPANY, LLC and FRIGATE BAY HOLDING, LLC? (the Panama ones, not the copycat US ones) (q3) Is there any risk that the rogue developer could have compromised TrustCor in any other way other than running unauthorized TCP relays and getting unauthorized code committed? How and when were these actions detected and are they referenced in any audit? (q4) In what countries is TrustCor a legal entity? Thanks again, Joel Reardon, University of Calgary On Tuesday, November 22, 2022 at 3:02:16 PM UTC-7 [email protected] wrote: > All, > > The discussion thus far is appreciated and has been both informative and > constructive. My post on November 8 > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ> > > indicated that if our concerns have not been resolved by today (November > 22) and further investigation and discussion is still needed, that we would > set the “Distrust for TLS After Date” and “Distrust for S/MIME After Date” > to November 29, 2022, for the 3 TrustCor root certificates. However, we’d > like to allow more time for any additional dialogue or external > developments to transpire prior to sharing our intended course of action. > We will continue our assessment and share out necessary next steps on > Wednesday, November 30. > > Thanks, > Kathleen > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a7ec5c21-4cc3-4fd9-89c8-cd66928ec0c2n%40mozilla.org.
