That's version 3.x, the reports mention 2.x. I'd like the same version as the one mentioned specifically in the reports.
On Mon, Mar 13, 2023 at 8:39 PM Ben Wilson <[email protected]> wrote: > Kurt, > Here is the link to the software download that BJCA provided: > http://download.bjca.org.cn/download/yzt/BJCAClientV3.8.101.0052.exe > Ben > > On Mon, Mar 13, 2023 at 8:24 PM 'Kurt Seifried' via > [email protected] <[email protected]> wrote: > >> >> >> On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson <[email protected]> >> wrote: >> >>> All, >>> >>> As per Mozilla's root inclusion process I need to make a decision about >>> approving or denying this root inclusion request from the Beijing CA. >>> >>> In my opinion, the Beijing CA has successfully completed our root >>> inclusion process and demonstrated compliance with all of our rules and >>> policies. Therefore, my inclination is to approve this request. >>> >>> There has been one item holding up my approval, which is the concerns >>> raised by contributors to this forum that the One Pass software might be >>> malware. I have been unable to find evidence to convince myself that the >>> One Pass software is malware, so I would like to ask those of you who have >>> raised such concerns... >>> >>> Is there something specifically that you have observed that One Pass >>> does that disrupts or damages the user's system or gains unauthorized >>> access? >>> >> >> I don't think anyone here has been directly affected, however, there are >> numerous reports and an entire report: >> >> https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf >> >> When we asked BJCA about this they replied "The software mentioned in the >> security incident report is a digital certificate application security >> suite developed by BJCA. The normal operation of this software depends >> on some technical implementation, which lead to misjudged as abnormal >> behavior, actually it is not a spyware." >> >> I guess it depends on who you chose to believe, BJCA has stated that yes >> they have this software, but it's not spyware, or the reports that it does >> in fact exhibit spyware characteristics. >> >> >>> >>> If I continue to be unable to obtain reasonable suspicion >>> <https://www.merriam-webster.com/legal/reasonable%20suspicion> that One >>> Pass is malware, then I will proceed with approving this CA's root >>> inclusion request this week. >>> >> >> Why can't they simply provide us with a copy of the software? Surely if >> it is legitimate and above board, this shouldn't be a problem? The previous >> reports include file hashes so getting the same version should be easy. >> >> >>> >>> Thanks, >>> Kathleen >>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Kurt Seifried (He/Him) >> [email protected] >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa396pfoEO1rR98m3udrFwCjaRzwaS3kZXk7jXh_EJhM8rA%40mail.gmail.com.
