Kurt, Here is the link to the software download that BJCA provided: http://download.bjca.org.cn/download/yzt/BJCAClientV3.8.101.0052.exe Ben
On Mon, Mar 13, 2023 at 8:24 PM 'Kurt Seifried' via [email protected] <[email protected]> wrote: > > > On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson <[email protected]> > wrote: > >> All, >> >> As per Mozilla's root inclusion process I need to make a decision about >> approving or denying this root inclusion request from the Beijing CA. >> >> In my opinion, the Beijing CA has successfully completed our root >> inclusion process and demonstrated compliance with all of our rules and >> policies. Therefore, my inclination is to approve this request. >> >> There has been one item holding up my approval, which is the concerns >> raised by contributors to this forum that the One Pass software might be >> malware. I have been unable to find evidence to convince myself that the >> One Pass software is malware, so I would like to ask those of you who have >> raised such concerns... >> >> Is there something specifically that you have observed that One Pass does >> that disrupts or damages the user's system or gains unauthorized access? >> > > I don't think anyone here has been directly affected, however, there are > numerous reports and an entire report: > > https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf > > When we asked BJCA about this they replied "The software mentioned in the > security incident report is a digital certificate application security > suite developed by BJCA. The normal operation of this software depends on > some technical implementation, which lead to misjudged as abnormal > behavior, actually it is not a spyware." > > I guess it depends on who you chose to believe, BJCA has stated that yes > they have this software, but it's not spyware, or the reports that it does > in fact exhibit spyware characteristics. > > >> >> If I continue to be unable to obtain reasonable suspicion >> <https://www.merriam-webster.com/legal/reasonable%20suspicion> that One >> Pass is malware, then I will proceed with approving this CA's root >> inclusion request this week. >> > > Why can't they simply provide us with a copy of the software? Surely if it > is legitimate and above board, this shouldn't be a problem? The previous > reports include file hashes so getting the same version should be easy. > > >> >> Thanks, >> Kathleen >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kurt Seifried (He/Him) > [email protected] > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYarOLpP2c9YVptKG4SCp75oyXNDt5_GSgyzrjcz1ZeRg%40mail.gmail.com.
