Kurt, I am a bit skeptical when I am only able to identify one report that is then repeated by other sources. Were you able to identify independent examinations of the v.2.x software other than the one by Insikt Group? Ben
On Mon, Mar 13, 2023 at 8:48 PM Kurt Seifried <[email protected]> wrote: > That's version 3.x, the reports mention 2.x. I'd like the same version as > the one mentioned specifically in the reports. > > On Mon, Mar 13, 2023 at 8:39 PM Ben Wilson <[email protected]> wrote: > >> Kurt, >> Here is the link to the software download that BJCA provided: >> http://download.bjca.org.cn/download/yzt/BJCAClientV3.8.101.0052.exe >> Ben >> >> On Mon, Mar 13, 2023 at 8:24 PM 'Kurt Seifried' via >> [email protected] <[email protected]> wrote: >> >>> >>> >>> On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson <[email protected]> >>> wrote: >>> >>>> All, >>>> >>>> As per Mozilla's root inclusion process I need to make a decision about >>>> approving or denying this root inclusion request from the Beijing CA. >>>> >>>> In my opinion, the Beijing CA has successfully completed our root >>>> inclusion process and demonstrated compliance with all of our rules and >>>> policies. Therefore, my inclination is to approve this request. >>>> >>>> There has been one item holding up my approval, which is the concerns >>>> raised by contributors to this forum that the One Pass software might be >>>> malware. I have been unable to find evidence to convince myself that the >>>> One Pass software is malware, so I would like to ask those of you who have >>>> raised such concerns... >>>> >>>> Is there something specifically that you have observed that One Pass >>>> does that disrupts or damages the user's system or gains unauthorized >>>> access? >>>> >>> >>> I don't think anyone here has been directly affected, however, there are >>> numerous reports and an entire report: >>> >>> https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf >>> >>> When we asked BJCA about this they replied "The software mentioned in >>> the security incident report is a digital certificate application >>> security suite developed by BJCA. The normal operation of this software >>> depends on some technical implementation, which lead to misjudged as >>> abnormal behavior, actually it is not a spyware." >>> >>> I guess it depends on who you chose to believe, BJCA has stated that yes >>> they have this software, but it's not spyware, or the reports that it does >>> in fact exhibit spyware characteristics. >>> >>> >>>> >>>> If I continue to be unable to obtain reasonable suspicion >>>> <https://www.merriam-webster.com/legal/reasonable%20suspicion> that >>>> One Pass is malware, then I will proceed with approving this CA's root >>>> inclusion request this week. >>>> >>> >>> Why can't they simply provide us with a copy of the software? Surely if >>> it is legitimate and above board, this shouldn't be a problem? The previous >>> reports include file hashes so getting the same version should be easy. >>> >>> >>>> >>>> Thanks, >>>> Kathleen >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> >>> -- >>> Kurt Seifried (He/Him) >>> [email protected] >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY-s-WjZ%2BT7Ud91iEusLRnkpGYrVvXnPQCuMnkPjpsZhA%40mail.gmail.com.
