Relatedly, Rachel, you repeatedly wrote that you have knowledge that other root CAs are controlled by state actors. For example, from 11/21:
In reading related reporting and blogging off-list, I need to address an > elephant in the room. Apparently it may also come as a surprise to some > readers that other root program members are in fact international > governments, and some are also defense companies, or companies who are > wholly-owned by defense companies and/or state-owned enterprises, meaning > "businesses" that are completely owned or controlled by governments. > Further, some of those governments are not free/democratic and in fact some > have histories of tragic human rights violations. > Given that this likely *is* a surprise to many on this list (which you acknowledge), in the interest of transparency, I think it would be helpful to identify the CAs to which you were referring, so that there can be an open and frank discussion. Similarly, you wrote that after your team's "exhausted research," you concluded that many other email encryption products advertised as being "end-to-end" encrypted in fact aren't: To address your concerns, based on our team's exhausted research into many > other providers offering similar services, one basic rule applies; whether > the encryption or decryption functions are occurring on the client (often > in javascript) or on the server, the server is still storing and handling > the key material in the process. > While less relevant to this particular list, I suspect many would still be interested in knowing which products are claiming to offer end-to-end encryption despite storing key material on servers (a design decision that many on this list would consider at odds with "end-to-end" encryption). In the interest of fostering trust and transparency, knowing which products are doing this is likely of interest to folks on this list (and more broadly). Thanks and happy holidays, serge On Tue, Dec 20, 2022 at 12:13 AM 'Kurt Seifried' via [email protected] <[email protected]> wrote: > > > On Wed, Nov 30, 2022 at 6:24 PM Rachel McPherson <[email protected]> > wrote: > >> All, >> >> While we are incredibly disappointed with this decision, we are not going >> to waste anyone's time with a response to the removal right now. >> > > Will there be a response? I don't think it's a waste of time, > understanding exactly what has happened and doing a post-mortem is > critical, especially if, as you say, this was not done correctly. > > There are also still numerous questions and concerns about the > certification/ability of your auditor, especially in light of them being > removed from a list of auditors. > > >> Thank you, >> >> Rachel >> >> > > -- > Kurt Seifried (He/Him) > [email protected] > > -- > You received this message because you are subscribed to a topic in the > Google Groups "[email protected]" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/oxX69KFvsm4/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_Nqk-8PPaTAtRQBEYLVwZ31%2BSULByyMeBOyhYbGFcvcA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_Nqk-8PPaTAtRQBEYLVwZ31%2BSULByyMeBOyhYbGFcvcA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- /* Serge Egelman, Ph.D. Research Director, Usable Security & Privacy International Computer Science Institute (ICSI) Research Scientist, Electrical Engineering and Computer Sciences (EECS) University of California, Berkeley */ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEr6HZfFMBOC6AmnQ-vFy3FTsKDr51wRd0C94O_%3DSkAnwcmRrA%40mail.gmail.com.
