Serge, You guys found an (easily-explained) domain name, and then basically assumed the rest, and used opinion, circumstantial evidence, conjecture, and fear-mongering to push readers of a mailing list to ignore the fact that we’ve never done anything wrong (mis-issuance, reading people’s emails, intentionally distributing malware, we’ve done none of those things). Answering factually and legally carefully also fell on deaf ears and the event was sensationalized because "scandal" has a larger audience than "security," and it always has. And now all it takes is "making up" a scandal which has the same effect.
For those reasons, and because I stated this such clearly and repeatedly in my public responses to you, we are not going to drag other companies' names through the mud and expose them to the same biased, unfair and business-damaging scrutiny you desire to keep your name in the media and draw attention to your company. Again, you want to defer to "university research" but in reality you posted all this stuff on your company blog and announced the link to the company blog entry everywhere. Anyway I’m not going to get into your personal saga, my point is simply that we didn’t get a fair experience and we won’t bring others into that unfair experience because we don’t believe it’s in the public interest. Another factor I’ll offer is that even if a company (unlike us) is really owned by a defense contractor or government, it doesn’t mean they’re bad or that they’d misbehave. You’ve probably flown inside an aircraft or driven a car with systems developed by primarily-government-funded companies and enjoyed the safety and reliability they offer. So I’m saying that doesn’t make them bad, and especially in those cases, dragging them through the mud here would not serve the public interest. Also, maybe neither of us are any good at deciding what’s in the public interest, because this same group that you think cares about these things is the group that allowed the Chinese government to place certificates in the root store long after the "great firewall" was public and long after ample publication about their history of transgressions involving freedom of expression and human rights violations. And this stayed in place until there were obvious public violations by that Government. So I guess it’s a confusing topic and people don’t really care about the things you or I believe may be important. Or at least people’s priorities are different. If you fellows are good at research, you’ll be able to figure all that out yourselves. I mean, the fact that you haven’t already done that and instead focused on just one company whose domain name you found doing something unrelated is silly and just further reinforces the point that you randomly came across a domain in other research and then mis-used that to motivate incorrect action upon us. The point is, many of these other cases are apparent and far more simple/straightforward, not to mention they’re actually "accurate" compared to your biased assessment of our company. But I encourage you NOT to do that research because (like us), they’ve not done anything wrong either so far as the public is concerned, otherwise they’d have been removed long ago, I imagine. This group was quick to remove us without reasonable evidence and with no history of wrongdoing, so I imagine they’d be even more quick to remove any company that showed any "real" evidence of actual wrongdoing. In summary, if you want to go hunt these companies down, it’s easy if you’re studious, and it certainly doesn’t take any funded university research or company resources, it just takes the ability to use a search engine and look at various backgrounds and public documents. For all the reasons we already stated we’re not under any circumstances going to provide a list of our beliefs and opinions to cause inappropriate public scrutiny or to create bias against these organizations — that’s your business promotion strategy, not ours. Happy holidays, Rachel > On Dec 23, 2022, at 11:05 AM, Serge Egelman <[email protected]> wrote: > > Relatedly, Rachel, you repeatedly wrote that you have knowledge that other > root CAs are controlled by state actors. For example, from 11/21: > > In reading related reporting and blogging off-list, I need to address an > elephant in the room. Apparently it may also come as a surprise to some > readers that other root program members are in fact international > governments, and some are also defense companies, or companies who are > wholly-owned by defense companies and/or state-owned enterprises, meaning > "businesses" that are completely owned or controlled by governments. Further, > some of those governments are not free/democratic and in fact some have > histories of tragic human rights violations. > > Given that this likely is a surprise to many on this list (which you > acknowledge), in the interest of transparency, I think it would be helpful to > identify the CAs to which you were referring, so that there can be an open > and frank discussion. Similarly, you wrote that after your team's "exhausted > research," you concluded that many other email encryption products advertised > as being "end-to-end" encrypted in fact aren't: > > To address your concerns, based on our team's exhausted research into many > other providers offering similar services, one basic rule applies; whether > the encryption or decryption functions are occurring on the client (often in > javascript) or on the server, the server is still storing and handling the > key material in the process. > > While less relevant to this particular list, I suspect many would still be > interested in knowing which products are claiming to offer end-to-end > encryption despite storing key material on servers (a design decision that > many on this list would consider at odds with "end-to-end" encryption). In > the interest of fostering trust and transparency, knowing which products are > doing this is likely of interest to folks on this list (and more broadly). > > Thanks and happy holidays, > > serge > > On Tue, Dec 20, 2022 at 12:13 AM 'Kurt Seifried' via > [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> > wrote: > > > On Wed, Nov 30, 2022 at 6:24 PM Rachel McPherson <[email protected] > <mailto:[email protected]>> wrote: > All, > > While we are incredibly disappointed with this decision, we are not going to > waste anyone's time with a response to the removal right now. > > Will there be a response? I don't think it's a waste of time, understanding > exactly what has happened and doing a post-mortem is critical, especially if, > as you say, this was not done correctly. > > There are also still numerous questions and concerns about the > certification/ability of your auditor, especially in light of them being > removed from a list of auditors. > > Thank you, > > Rachel > > > -- > Kurt Seifried (He/Him) > [email protected] <mailto:[email protected]> > > -- > You received this message because you are subscribed to a topic in the Google > Groups "[email protected] > <mailto:[email protected]>" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/oxX69KFvsm4/unsubscribe > > <https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/oxX69KFvsm4/unsubscribe>. > To unsubscribe from this group and all its topics, send an email to > [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_Nqk-8PPaTAtRQBEYLVwZ31%2BSULByyMeBOyhYbGFcvcA%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3_Nqk-8PPaTAtRQBEYLVwZ31%2BSULByyMeBOyhYbGFcvcA%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > > -- > /* > Serge Egelman, Ph.D. > Research Director, Usable Security & Privacy > International Computer Science Institute (ICSI) > > Research Scientist, Electrical Engineering and Computer Sciences (EECS) > University of California, Berkeley > */ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6E0DEC52-1392-4217-817A-A103FD3DAAEE%40trustcor.ca.
signature.asc
Description: Message signed with OpenPGP
