I haven't seen the software. But isn't it BJCA's job to prove they are trustworthy? Shouldn't BJCA.cn have some simple answer in the form of "no it's not spyware, and here's how we can easily and simply prove it."
Why is this the responsibility of random Internet volunteers to prevent Mozilla from being bamboozled into accepting an untrustworthy CA? Shouldn't Mozilla be ensuring that root CA's are highly trusted and not involved in spyware, like Trustcor apparently was? Also when it comes to spyware there are very few experts or groups that can properly analyze this (e.g. Citizen Lab comes to mind). There isn't some huge pool of people with a ton of spare time to track this down. Witness involvement in this mailing list as a good example of how few people are actually involved. On Mon, Mar 13, 2023 at 9:26 PM Ben Wilson <[email protected]> wrote: > Kurt, > I am a bit skeptical when I am only able to identify one report that is > then repeated by other sources. Were you able to identify independent > examinations of the v.2.x software other than the one by Insikt Group? > Ben > > On Mon, Mar 13, 2023 at 8:48 PM Kurt Seifried <[email protected]> wrote: > >> That's version 3.x, the reports mention 2.x. I'd like the same version as >> the one mentioned specifically in the reports. >> >> On Mon, Mar 13, 2023 at 8:39 PM Ben Wilson <[email protected]> wrote: >> >>> Kurt, >>> Here is the link to the software download that BJCA provided: >>> http://download.bjca.org.cn/download/yzt/BJCAClientV3.8.101.0052.exe >>> Ben >>> >>> On Mon, Mar 13, 2023 at 8:24 PM 'Kurt Seifried' via >>> [email protected] <[email protected]> wrote: >>> >>>> >>>> >>>> On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson <[email protected]> >>>> wrote: >>>> >>>>> All, >>>>> >>>>> As per Mozilla's root inclusion process I need to make a decision >>>>> about approving or denying this root inclusion request from the Beijing >>>>> CA. >>>>> >>>>> In my opinion, the Beijing CA has successfully completed our root >>>>> inclusion process and demonstrated compliance with all of our rules and >>>>> policies. Therefore, my inclination is to approve this request. >>>>> >>>>> There has been one item holding up my approval, which is the concerns >>>>> raised by contributors to this forum that the One Pass software might be >>>>> malware. I have been unable to find evidence to convince myself that the >>>>> One Pass software is malware, so I would like to ask those of you who have >>>>> raised such concerns... >>>>> >>>>> Is there something specifically that you have observed that One Pass >>>>> does that disrupts or damages the user's system or gains unauthorized >>>>> access? >>>>> >>>> >>>> I don't think anyone here has been directly affected, however, there >>>> are numerous reports and an entire report: >>>> >>>> https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf >>>> >>>> When we asked BJCA about this they replied "The software mentioned in >>>> the security incident report is a digital certificate application >>>> security suite developed by BJCA. The normal operation of this >>>> software depends on some technical implementation, which lead to misjudged >>>> as abnormal behavior, actually it is not a spyware." >>>> >>>> I guess it depends on who you chose to believe, BJCA has stated that >>>> yes they have this software, but it's not spyware, or the reports that it >>>> does in fact exhibit spyware characteristics. >>>> >>>> >>>>> >>>>> If I continue to be unable to obtain reasonable suspicion >>>>> <https://www.merriam-webster.com/legal/reasonable%20suspicion> that >>>>> One Pass is malware, then I will proceed with approving this CA's root >>>>> inclusion request this week. >>>>> >>>> >>>> Why can't they simply provide us with a copy of the software? Surely if >>>> it is legitimate and above board, this shouldn't be a problem? The previous >>>> reports include file hashes so getting the same version should be easy. >>>> >>>> >>>>> >>>>> Thanks, >>>>> Kathleen >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Kurt Seifried (He/Him) >>>> [email protected] >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> >> -- >> Kurt Seifried (He/Him) >> [email protected] >> > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa38p2dmRLcMrn7i5nnqzJK2RLzz%3DJwn0kD6neHGXPHr6oQ%40mail.gmail.com.
