On Friday, February 22, 2019 at 2:21:24 PM UTC-7, Wayne Thayer wrote: > The recent Reuters report on DarkMatter [1] has prompted numerous questions > about their root inclusion request [2]. The questions that are being raised > are equally applicable to their current status as a subordinate CA under > QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to > open up a discussion now. The purpose of this discussion is to determine if > Mozilla should distrust DarkMatter by adding their intermediate CA > certificates that were signed by QuoVadis to OneCRL, and in turn deny the > pending root inclusion request. > > The rationale for distrust is that multiple sources [1][4][5] have provided > credible evidence that spying activities, including use of sophisticated > targeted surveillance tools, are a key component of DarkMatter’s business, > and such an organization cannot and should not be trusted by Mozilla. In > the past Mozilla has taken action against CAs found to have issued MitM > certificates [6][7]. We are not aware of direct evidence of misused > certificates in this case. However, the evidence does strongly suggest that > misuse is likely to occur, if it has not already. > > Mozilla’s Root Store Policy [8] grants us the discretion to take actions > based on the risk to people who use our products. Despite the lack of > direct evidence of misissuance by DarkMatter, this may be a time when we > should use our discretion to act in the interest of individuals who rely on > our root store. > > I would greatly appreciate everyone's constructive input on this issue. > > - Wayne > > [1] https://www.reuters.com/investigates/special-report/usa-spying-raven/ > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 > > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ > > [4] > https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/ > > [5] > https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ > > [6] > https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ > > [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 > [8] > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Insane that this is even being debated. If the floodgates are opened here you will NOT be able to get things back under control. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy