RE: DarkMatter Concerns
Message Body (6 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Violation of Anti-Trust Laws: The Module Owner’s discretionary decision, when taken into context with the comments of other Mozilla Peers employed by other Browsers and/or competing Certificate Authorities, are intended to result in the types of unfair competition that are prohibited under the United States Sherman Act, the United States Federal Trade Commission Act, the Canadian Competition Act, the European Union Anti-Trust Policies, and the United Arab Emirates Competition Laws. a) Notwithstanding to the assertions for a decision “made on a collective assessment of all the information at hand”, the Module Owner, and Mozilla staff, have blatantly ignored, or failed to acknowledge and consider, the impact of anti-competitive comments made by Mr. Ryan Sleevi, a Google employee, with regard to the Applicants’ Root Inclusion request. > “I highlight this, because given the inherently global nature of the > Internet, there is no technical > need to work with local CAs, and, with a well-run root store, all CAs provide > an equivalent level > of protection and security, which rests in the domain authorization." [1] The above statement is quite startling in that it is being made by a representative of a dominant market power as an argument against the inclusion of a new economic participant’s entry into the global CA market place. In light of the fact that representative has tried to justify a technical non-compliance to support revocation of the Applicants’ Root Inclusion (note that significantly higher number of users were at risk due to the same serial entropy violations of his own employer Google) [2], and considering that this representative was a key player in the demonstration of dominant Browser market power against a significant CA global business [3], the Applicants have a reasonable basis to believe that the distrust discussion are more likely to be motivated by economic considerations that preserve incumbent parties market domination and monopolization. b) Additionally, the Module Owner, and Mozilla staff, have blatantly ignored, or failed to acknowledge and consider, the Applicants’ response to the Google Representative in their decision-making process. The General Counsel of DarkMatter asserted unambiguously in the public discussion as follows: We are of the view that CA monopolies are inherently bad for the internet in that they unfairly exploit market power. The result is a fundamental right to Internet security and privacy being deliberately priced out of reach for a significant population of the world. We ask you, what can be more of an anti-competitive monopoly than a "well run store" (read Google/Mozilla) that does not take into consideration that sovereign nations have the fundamental right to provide digital services to their own citizens, utilizing their own national root, without being held hostage by a provider situated in another nation.” [4] The above discussions are highly relevant to the decision-making process, considering that the Module Owner is aware of the significant economic investment the Applicants have made in progressing the Root inclusion requests over the past two years. In fact, the Applicants have received further communications from other relevant Browser Stores indicating that their respective decision to permit the Applicants to participate in the global CA business ecosystem will be based and influenced by the Mozilla Module Owner’s highly subjective discretionary decision. The entire global internet traffic is controlled by four (4) Browser Root Stores (Mozilla, Microsoft, Google and Apple). As Reuters pointed out in its July 4 story, three (3) of those Browser Stores will likely adopt and enforce this decision by Mozilla. In light of this, the Module Owner would be, or should be, aware of the significant economic harm of a decision based on less than verifiable “credible evidence”. c) Notwithstanding the above highly relevant elements of the public discussion, the Module Owner has now made a significant decision (on less than verifiable “credible evidence”) which we believe is intended to unfairly affect commerce in the global CA ecosystem through the use of the coercive influence he wields on the Applicants as a result of his discretionary decision making power. While rejecting the right of the Applicants to participate directly within the Mozilla Root Store, and by extension setting the stage for an outright denial of the Applicants’ inclusions in any other browser store, the Module Owner has decided as follows: > Mozilla does welcome DigitalTrust as a “managed” subordinate CA under the > oversight of an existing trusted CA that retains control of domain validation > and > the private keys. [5] We are of the view that a fair-minded and objective observer would reasonably conclude that the above statement indicates that
RE: DarkMatter Concerns
Message Body (5 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Erroneous Legal Conclusions: The Module Owner’s discretionary decision was guided by an erroneous legal conclusion, when he determined that the legal ownership structure of the Applicants was insufficient to allow them to operate independently. a) Digital Trust is an affiliate of DarkMatter and has never been owned by it as a subsidiary since its incorporation in April 2016. Both companies are subsidiaries of their parent company, Dark Matter Investments. The Applicants have provided the necessary legal documents to Mozilla, and have further disclosed all ultimate beneficial shareholders in a transparent manner. > DarkMatter has argued that their CA business has always been operated > independently > and as a separate legal entity from their security business. Furthermore, > DarkMatter states > that once a rebranding effort is completed, “the DarkMatter CA subsidiary > will be completely > and wholly separate from the DarkMatter Group of companies in their > entirety.” However, in the > same message, DarkMatter states that “Al Bannai is the sole beneficial > shareholder > of the DarkMatter Group.” and leaves us to assume that Mr. Al Bannai would > remain the > sole owner of the CA business. More recently, DarkMatter announced that they > are transitioning > all aspects of the business to DigitalTrust and confirmed that Al Bannai > controls this entity. > This ownership structure does not assure me that these companies have the > ability to > operate independently, regardless of their names and legal structure. [1] It is a fundamental principle of law that corporations have a statutory personality distinct from their shareholders. If taken at face value, the Module Owner’s erroneous assertion would imply that even the Mozilla Foundation and the Mozilla Corporation do not have the ability to operate independently, regardless of their names and legal structure. It should be noted that a number of CAs, e.g. Google and Sectigo, have complicated ownership structures and this is not cited in their ability to operate independently. We note that to-date that the Module Owner has not made this type of claim against any other Mozilla Root Store participant. Unless the above reasoning is held to be an Erroneous Legal Conclusion made by the Module Owner this would be, in our view, another new standard that will be discriminatorily applied only to the Applicants, solely on the basis of incorporation and residence in the United Arab Emirates. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Message Body (4 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Discriminatory Practices; The Module Owner conducted his decision making process, and allowed the distrust discussion to proceed, in a manner contrary to the Mozilla Foundation commitment to an “Internet that includes all the peoples of the earth – where a person demographic characteristics do not determine their online access, opportunities, or quality of experience”. a) The Applicants notified Mozilla of their Root Inclusion request in December of 2017. All TLS certificates (both EV and OV) were logged to CT. The Applicants completed Webtrust certification for CA, for BRs, and for EV in October 2017, and submitted the United Arab Emirates Global Roots as well as the Applicants’ own Commercial Roots to Mozilla for inclusion. In October 2018, the Applicants completed their second year of the required WebTrust Audits for CA, BRs, and EV and provided the same to Mozilla for inclusion with their root submission. Mozilla completed a successful Policy/Process review of and technical review of the UAE Global Roots and the Applicants’ Commercial Roots in January of 2019. Notwithstanding the above, nowhere in his decision, nor in the call for distrust, did the Module Owner provide any weight on the Applicants exemplary conduct in the CA community as reflected in their WebTrust audits over the period of time leading up to the distrust discussion. In February of 2019, citing the disputed Reuters articles, the Module Owner, and Mozilla staff began the distrust of the UAE Global Roots, including the Applicants’ Commercial Roots, and implicitly put into question the right of the United Arab Emirates to operate its existing public trust subordinate CAs through a commercial party located in the United Arab Emirates. b) The distrust discussion marked a significant departure from the existing Mozilla process, in that the Module Owner had now abandoned the reliance on technical compliance and any qualification of the CA or its ability to demonstrate compliant operations. > Some, including DarkMatter representatives, have declared the need to examine > and > consider the benefits of having DarkMatter as a trusted CA. However, last > year we > changed our policy to replace the weighing of benefits and risks with “based > on the > risks of such inclusion to typical users of our products.” [1] The new standard which the Module Owner has now discriminatorily applied solely to the UAE Global Roots and the Applicants’ Commercial Roots appears to be on the hypothetical and unfounded basis of what the Applicants may allegedly do in the future. All of the facts lead would lead an objective person to conclude that the Module Owner has established a dangerous precedent that he wishes to discriminatorily apply only to the Applicants, solely on the basis of incorporation and residence in the United Arab Emirates. c) Notwithstanding the Module Owner’s comments about safeguarding the typical users of Mozilla products, and in regards to the false and unsubstantiated allegation that the Applicants have engaged in spying activities (which the Applicants have repeatedly indicated they do not do); other participants have highlighted that a number of other companies, who currently provide offensive security and surveillance related services have been enrolled in the Mozilla Root Program for a number of years. [2] Notwithstanding the Module Owner’s assertion (in his decision) that “our foremost responsibility is to protect individuals who rely on Mozilla products”, to-date the Module Owner has not contemplated or triggered a distrust discussion against any of these parties. If, in fact, this decision is truly motivated by the issue of “trust” and the protection of individuals (rather than the creation of additional barriers that preserve incumbent parties continued market domination and monopolization), we call on the Mozilla Foundation to apply the same standard that the Module Owner wishes to apply to the Applicants, and immediately start the process of distrust discussion for all CAs in the Mozilla Root Store who are either affiliated, directly, or indirectly, involved or even alleged to be in the business of offensive security and surveillance. d) Furthermore, In accordance with the Mozilla “commitment to an internet that elevates critical thinking, reasoned arguments, shared knowledge, and verifiable facts”, we are of the view that the Module Owner failed in his fiduciary responsibility to moderate the distrust discussions, and reject public assertions that magnified divisive stereotypes about the United Arab Emirates and the Applicants. The Module Owner would have, or should have known, that by remaining silent in the face of discriminatory and divisive comments about the United Arab Emirates and the Applicants, while at the same time continually highlighting the alleged and disputed Reuters’
RE: DarkMatter Concerns
Message Body (3 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Abuse of Discretionary Power: The Module Owner’s failure to consider relevant factors that should have been given significant, or equal weight, and deliberate mischaracterizations of facts intended to inflate the perceived risks of the Root Inclusion, resulted in an abuse of discretionary power. a) The Module Owner, and Mozilla staff, have repeatedly indicated that the decision to distrust the Root Inclusion has been predicated on “credible evidence” as reported in the misleading Reuters articles (including those articles where Mozilla staff are quoted as news-makers), and on the totality of the information to be provided. > “Much of the discussion has been about the desire for inclusion and distrust > decisions to be made based on objective criteria that must be satisfied. > However, > if we rigidly applied our existing criteria, we would deny most inclusion > requests. > As I stated earlier in this thread, every distrust decision has a substantial > element of subjectivity. > One can argue that we are discussing a different kind of subjectivity here, > but it still > amounts to a decision being made on a collective assessment of all the > information > at hand rather than a checklist.” [1] The Applicants have repeatedly challenged the misleading Reuters articles as being based on a singular false and defamatory allegation. The CEO of DarkMatter formally, and publicly, communicated to the Module Owner by letter dated 26 February, 2019 refuting the misleading Reuters articles. [2]The CEO of DarkMatter has also gone on the record with various media refuting the baseless and defamatory allegations. [3] Notwithstanding to the assertions for a decision “made on a collective assessment of all the information at hand”, the Module Owner, and Mozilla staff, have blatantly ignored, or failed to acknowledge and consider, any of the information provided by the Applicants to-date. On the other hand, the Module Owner has been less than impartial in his approach, consistently (in our view) minimizing the Applicants’ information, or public comments supporting the Applicants, while highlighting only those false, and disputed articles that push a hidden agenda against the United Arab Emirates and the Applicants. [4] b) Since the Module Owner has singularly defined the purpose of the Root Inclusion discussions as a necessary requirement for the protection of the security and privacy of individuals, the Applicants provided concrete evidence demonstrating that their work since the very inception of the company, is fundamentally aligned with the goals of the Mozilla Manifesto. The Applicants further made a standing offer, for the Mozilla organization and other media parties to visit the United Arab Emirates to see directly for themselves the work being conducted by the Applicants. More specifically, the Applicants have provided several recent examples of their pro-bono activities to the Module Owner with information regarding how critical security responsible disclosures are made by the Applicants and their affiliated companies, and which directly align with Mozilla’s principles to ensure that the internet, and other digital products, are safe for all users worldwide. E.g.: - Pgpool – PgPoolAdmin Responsible Disclosure [5] - Cisco - IP Phone Responsible Disclosure [6] [7] - Sony - Smart TV Responsible Disclosure [8] - FoxitSoftware - Foxit Reader Responsible Disclosure [9] - Samsung - S Family Responsible Disclosure [10] - LibreNMS Responsible Disclosure [11] [12] [13] - ABB - HMI Responsible Disclosure [14] [15] [16] Notwithstanding the above, the Module Owner has either blatantly ignored, or failed to acknowledge and consider, any of the above information provided, or the invitations accorded, by the Applicants to-date, in making his decision. c) In addition to attributing a false innuendo of “MitM Certificates” to the Applicants’ intention, the Module Owner has deliberately continued to mischaracterize the facts in a manner that is intended to overinflate the perceived risks of the Root Inclusion to the public at large. > “The question that I originally presented to this community was about > distrusting > DarkMatter’s current intermediate CA Certificates (6 total) based on credible > evidence > of spying activities by the company.” [17] The Module Owner is well aware that the original 3 intermediate CA Certificates (one for EV, one for OV, and one for Client Certificates) that were crated for public trust issuance within the UAE national PKI were name constrained and had already been revoked by QuoVadis/Digicert. [18] A decision this significant should be based on accurate facts, and not on the sort of mischaracterization that overinflates the risk. Considering that a number of community participants, including Ryan Sleevi, a Mozilla CA Module participant employed by Google,
RE: DarkMatter Concerns
Message Body (2 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 2) Procedural Fairness/Bias: The Module Owner’s decision making activities, and the supporting actions of other Mozilla staff, were not procedurally fair, transparent, absent of bias, nor made in good-faith. a) The Applicants are headquartered in the United Arab Emirates, and have wholly-owned subsidiaries domiciled in Canada and the European Union. The Applicants conduct all of their business strictly in accordance with the laws of the jurisdictions in which they operate and continue to do so. Over the past three and half (3.5) years, the Applicants have successfully completed two (2) Web Trust public audits verifying that the Applicants CA business is operating in accordance with the technical standards stipulated within Mozilla Root Store Policy and the latest version of the CA/Browser Forum Requirements for the Issuance and Management of Publicly-Trusted Certificates. Furthermore, the Applicants have been ISO9001 and ISO27001 certified in their quality and information systems management as an independent verification of the management controls and governance in place for the operations of the business itself. b) To-date the Applicants have not been cited for any non-compliance with the laws of the jurisdictions in which they operate, and there has never been any credible evidence of their malfeasance in any form or shape whatsoever. c) Notwithstanding the above, by directly asserting and attributing a false innuendo of “MitM Certificates” to the Applicants’ intention, the Module Owner deliberately framed the public discussion about the merits of the Root Inclusion requests in a significantly detrimental manner from the outset. > “In the past Mozilla has taken action against CAs found to have issued MitM > certificates. > We are not aware of direct evidence of misused certificates in this case. > However, > the evidence does strongly suggest that misuse is likely to occur, if it has > not already.” [1] The Module Owner would have, or should have known, that framing the public discussion in such an inflammatory statement would “intentionally manipulate fact and reality” and deliberately distort the Root Inclusion discussion in a manner that misinforms the public about the Applicants Root Inclusion and their activities. The Module Owner chose to imply the negative innuendos about “MitM Certificates” even though there was no credible evidence available to him as to such malfeasance by the Applicants in the more than three (3) years within which as the Module Owner he would have been aware of the Applicants work and Root Inclusion request. d) Concerted efforts by Mozilla staff to publicly pre-judge the issue, by soliciting and providing follow-up interviews to the media, were solely intended to undermine the efforts of the Applicants in disputing the misleading articles used as the basis for biasing the Root Inclusion public discussions. > “We don’t currently have technical evidence of misuse (by DarkMatter) but the > reporting is strong evidence that misuse is likely to occur in the future if > it hasn’t > already,” said Selena Deckelmann, a senior director of engineering for > Mozilla. [2] The Module Owner, and Mozilla staff, would have, or should have, known that by deliberately fanning the controversy (as news-makers rather than impartial adjudicators), they would harm the prospects of a fair process for the Applicants’ Root Inclusion. We are of the view that Mozilla staff did a great disservice to the idea of "trust" - when they persisted in a concerted effort with Reuters - to accelerate the false narrative about the Applicants, solely because they were a commercial CA business head-quartered in the United Arab Emirates. This undue interference by the Module Owner, and Mozilla staff, demonstrated an abdication of impartiality, extreme prejudicial bias in the decision making process, and a hidden organizational animus, that is fatal to the idea of “due process” and “fundamental fairness” being accorded to the Applicants by Mozilla in this Root Inclusion. [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ [2] https://www.reuters.com/article/us-usa-spying-darkmatter/firefox-maker-fears-darkmatter-misuse-of-browser-for-hacking-idUSKCN1QL28T Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
RE: DarkMatter Concerns
Message Body (1 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS Mozilla Foundation Board of Directors Attention: Mitchell Baker, Executive Chairwoman Mozilla Corporation Attention: Chris Beard, CEO Attention: Denelle Dixon-Thayer, General Counsel July 16, 2019 Mozilla CA Certificate Policy Module: Appeal of the Module Owner Decision Dated July 9, 2019 Dear Sirs/Mesdames In accordance with the Mozilla organization’s dispute resolution mechanism [1], I am writing to the Mozilla Foundation Board of Directors and the Mozilla Corporation, to formally dispute the decision of Mr. Wayne Thayer (“Module Owner”), the current owner of the Mozilla CA Certificate Policy module (“Mozilla CA Module”), dated July 9, 2019 (and concurred to by Ms. Kathleen Wilson on July 16, 2019), with regard to the Mozilla Root Store inclusion request for both the United Arab Emirates Global Roots and the Digital Trust Commercial Roots (“Root Inclusion”) originally made by Dark Matter LLC (“DarkMatter”) and currently being progressed by its affiliate Digital Trust LLC (“Digital Trust”, and together with DarkMatter, the “Applicants”). In the conduct of his discretionary decision, the Module Owner recommended (1) a rejection of the Applicant’s Root Inclusions, (2) a prohibition of any new additional Root Inclusion requests from Digital Trust, and (3) opened a bug request for an additional distrust of existing intermediate CA certificates created for public trust within the UAE national PKI. [2] The Module Owner’s discretionary decision is disputed, and an appeal to the Mozilla Foundation Board of Directors is lodged, on the grounds of (1) Undisclosed Conflict of Interest, (2) Procedural Fairness/Bias, (3) Abuse of Discretionary Power, (4) Discriminatory Practices, (5) Erroneous Legal Conclusions, and (6) Violation of Global Anti-Trust Laws, as more fully detailed below: (1) Conflict of Interest: The Module Owner failed to recognize, or blatantly ignored, undisclosed Conflict of Interests posed by certain participants (including Mozilla Staff) who represent for-profit corporations with a significant (including, but not limited, to global market dominance and monopolization power) economic interest in the outcome of the Applicant’s Root Inclusion, and the distorting impact of such Conflict of Interests on the Module Owner’s discretionary decision. a) The Mozilla Corporation is a wholly-owned for-profit subsidiary of the Mozilla Foundation. The for-profit Mozilla Corporation provides internet based browser software and other related services. Access to the entire global internet traffic is controlled by four (4) Browser Root Stores (Mozilla Corporation, Google, Microsoft and Apple). Two of these commercial Browser Root Stores are the most significant search engine providers on the internet, and therefore have a substantial economic interest in the global Certificate Authority business (including in the United Arab Emirates). Approximately 93% to 94% of Mozilla Corporation’s revenues are derived from such search engine providers. [3] b) The Module Owner is employed by the for-profit Mozilla Corporation as a Certificate Authority Program manager. Key Mozilla staff who are involved in framing the negative media feedback about the Root Inclusion are also employed by the for-profit Mozilla Corporation. [4] Key CA/Policy participants in the Mozilla CA Module are also employed by other commercial Certificate Authorities/or Browser Stores which have a significant economic stake in the Root Inclusion decision [5]. c) In light of the above, the Module Owner had a responsibility to ensure that any Conflict of Interests by any participants in the Root Inclusion discussions are clarified for the record so that undisclosed interests (including economic market domination and monopolization of the global Certificate Authority business ecosystem) which may distort the Module Owner’s decision making process are publicly disclosed for interested media, the general public, and global trade/competition regulators. d) The Applicants have repeatedly brought their concerns with Conflict of Interests to the attention of the Module Owner. > “While we welcome the public discussion as a vital component in the > maintenance of trust and > transparency in Mozilla’s Root Store, we wish to bring to your attention, and > to other esteemed > CABForum members, DarkMatter’s reasonable apprehension of bias and conflict > of interest in how > the Mozilla organization has framed and conducted the discussion at hand. > Notwithstanding the stated > goal of transparency in the public discussion, recent public comments by > Mozilla employees > (including your opening statement in the discussion), indicate a hidden > organizational animus that is fatal > to the idea of “due process” and “fundamental fairness” being accorded to any > CA applicant to > the Mozilla Root Store. [6] The Applicants explicitly
RE: DarkMatter Concerns
A formal appeal has been filed with the Mozilla Foundation Board of Directors. In the spirit of transparency, we will be posting the contents of the Appeal to this forum in six (6) separate messages. Benjamin Gabriel Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -Original Message- From: dev-security-policy On Behalf Of Kathleen Wilson via dev-security-policy Sent: Tuesday, July 16, 2019 8:20 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DarkMatter Concerns Caution: This email originated from outside DarkMatter. Do not click links or open attachments unless you recognize the sender and believe the content is safe. -- All, Thanks again to all of you who have been providing thoughtful and constructive input into this discussion. As I previously indicated [1], this has been a difficult decision to make. I have been carefully reading and contemplating the input that you all have been providing in this forum. I concur with Wayne’s recommendation [2] to add DarkMatter’s existing intermediate certificates to OneCRL (https://bugzilla.mozilla.org/show_bug.cgi?id=1564544), and decline DarkMatter’s root inclusion request (https://bugzilla.mozilla.org/show_bug.cgi?id=1427262). I will update those bugs to reflect my decision to distrust the intermediate certs and to decline the root inclusion request. I also concur with Wayne that DarkMatter (a.k.a DigitalTrust) is welcome to be a “managed” subordinate CA under the oversight of an existing trusted CA that retains control of domain validation and the private keys. Below are some additional comments I would like to share. I was intrigued by Matthew’s FICO score analogy [3] demonstrating that bias should be removed from the decision making process. I agree with Gijs’ suggestion [4] that a more applicable analogy is being a guarantor on a large loan. As Gijs’ said: you should never “be a guarantor for anybody unless you're very, very sure of that person, because you have effectively no recourse if the debtor leaves you holding the bag.” If I had thought of myself (or Mozilla) as a guarantor of the CNNIC CA, then all of the concerns that people had raised about CNNIC during their root inclusion request would have enabled me to say that I was not confident that CNNIC would continue to fulfill their commitments as a CA in Mozilla’s program. That could have prevented the difficulties that arose when the CNNIC root was used to mis-issue TLS certificates that were subsequently used for MiTM. Some of you have pointed out that Mozilla needs to provide more oversight and scrutiny of subordinate CAs, and I fully agree with you. With over 3,000 subordinate CA certificates chaining to root certificates in Mozilla’s program, we need automation to extend checks and balances to all of them. I have been working towards this via the Common CA Database (CCADB) [5]. The good news is that most of the subordinate CAs in Mozilla’s program are “managed” subordinate CAs, which means that the root CA retains control of the private keys and domain validation. As Wayne mentioned, we are also working on improving our policy and process to provide better oversight of the other, “externally-operated”, subordinate CAs[6,7]. Thanks, Kathleen [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/LPCGngLxBwAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/HiAMJkBNDQAJ [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XXp1KIBoDQAJ [5] https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ [6] https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits [7] https://github.com/mozilla/pkipolicy/issues/169 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. On 2/24/19 11:08 AM, Nex wrote: > The New York Times just published another investigative report that > mentions DarkMatter at length, with additional testimonies going on > the > record: Dear Nex, The New York Times article that you reference does not add anything new to the misleading allegations previously published in the Reuters article. It simply repeats ad-nauseum a false, and categorically denied, narrative about DarkMatter, under the guise of an investigative reporting on the alleged surveillance practices of governmental authorities of foreign countries. DarkMatter is strictly a commercial company which exists to provide cyber-security and digital transformation services to our customers in the United Arab Emirates, and the larger GCC and MENA regions. We have already noted that these misleading allegations about DarkMatter were originally planted by defamatory and false sources - in two (2) articles published on the internet - and are now repeatedly recycled by irresponsible journalists looking for a sensationalist angle on socio-political regional issues. And we have consistently, and categorically, denied and refuted all of the allegations about DarkMatter, including on this forum. [1][2] The fact that New York Times has chosen to recycle these refuted false narratives about DarkMatter, without reaching out to inquire on the real DarkMatter story, is unfortunate. At times like this - it is important to note that not all news reporting is based on factual or true events, and is sometimes based on undisclosed bias or in some instances on outright fraudulent reporting.[3][4][5][6][7][8] We continue to push for responsible journalism that is based on truth and verifiable facts. Regards, Benjamin Gabriel General Counsel, DarkMatter Group [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/QAj8vTobCAAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VZf8xR-hAgAJ [3] https://theintercept.com/2016/02/02/a-note-to-readers/ [4] https://www.nytimes.com/2016/02/03/business/media/the-intercept-says-reporter-falsified-quotations.html [5] https://www.theguardian.com/media/2016/feb/02/the-intercept-fires-reporter-juan-thompson [6] https://www.nytimes.com/2013/05/05/public-editor/repairing-the-credibility-cracks-after-jayson-blair.html [7] https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html [8] https://en.wikipedia.org/wiki/The_New_York_Times_controversies ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. On 2/24/19 11:08 AM, Nex wrote: > The New York Times just published another investigative report that mentions > DarkMatter at length, with additional testimonies going on the > record: Dear Nex, The New York Times article that you reference does not add anything new to the misleading allegations previously published in the Reuters article. It simply repeats ad-nauseum a false, and categorically denied, narrative about DarkMatter, under the guise of an investigative reporting on the alleged surveillance practices of governmental authorities of foreign countries. DarkMatter is strictly a commercial company which exists to provide cyber-security and digital transformation services to our customers in the United Arab Emirates, and the larger GCC and MENA regions. We have already noted that these misleading allegations about DarkMatter were originally planted by defamatory and false sources - in two (2) articles published on the internet - and are now repeatedly recycled by irresponsible journalists looking for a sensationalist angle on socio-political regional issues. And we have consistently, and categorically, denied and refuted all of the allegations about DarkMatter, including on this forum. [1][2] The fact that New York Times has chosen to recycle these refuted false narratives about DarkMatter, without reaching out to inquire on the real DarkMatter story, is unfortunate. At times like this - it is important to note that not all news reporting is based on factual or true events, and is sometimes based on undisclosed bias or in some instances on outright fraudulent reporting.[3][4][5][6][7][8] We continue to push for responsible journalism that is based on truth and verifiable facts. Regards, Benjamin Gabriel General Counsel, DarkMatter Group [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/QAj8vTobCAAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VZf8xR-hAgAJ [3] https://theintercept.com/2016/02/02/a-note-to-readers/ [4] https://www.nytimes.com/2016/02/03/business/media/the-intercept-says-reporter-falsified-quotations.html [5] https://www.theguardian.com/media/2016/feb/02/the-intercept-fires-reporter-juan-thompson [6] https://www.nytimes.com/2013/05/05/public-editor/repairing-the-credibility-cracks-after-jayson-blair.html [7] https://www.nytimes.com/2003/05/11/us/correcting-the-record-times-reporter-who-resigned-leaves-long-trail-of-deception.html [8] https://en.wikipedia.org/wiki/The_New_York_Times_controversies ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Part 1 of 2: Dear Ryan, A fair and transparent public discussion requires full disclosure of each participant's motivations and ultimate agenda. Whether in CABForum, or Mozilla-dev-security-policy, I represent the viewpoints of my employer DarkMatter and passionately believe in our unflagging efforts to provide the citizens, residents and visitors to the United Arab Emirates with the same internet security and privacy protections that are taken for granted in other parts of the world. On Wednesday, March 6, 2019 7:51 PM, Ryan Sleevi wrote: > (Writing in a personal capacity) Until such time as we have been formally advised by your employer (Google), that you no longer represent their views in CABForum, or in this Mozilla-dev-security-policy forum, we will proceed on the basis that all of your statements are the official viewpoint of your employer (Google). > I highlight this, because given the inherently global nature of the > Internet, there is no technical need to work with local CAs, and, > with a well-run root store, all CAs provide an equivalent level of > protection and security, which rests in the domain authorization We reject your paternalistic view that there is no technical need for a local United Arab Emirates CA. Our own research has determined that approximately 68% of the websites in the United Arab Emirates are not adequately protected for HTTPS traffic (double the global average). If those incumbent CA monopolies that you champion were doing such a great job globally - why such a stark difference? We are of the view that CA monopolies are inherently bad for the internet in that they unfairly exploit market power. The result is a fundamental right to Internet security and privacy being deliberately priced out of reach for a significant population of the world. We ask you, what can be more an anti-competitive monopoly than a "well run store" (read Google/Mozilla) that does not take into consideration that sovereign nations have the fundamental right to provide digital services to their own citizens, utilizing their own national root, without being held hostage by a provider situated in another nation. You should note that DarkMatter's request is also for the inclusion of UAE's national root. Benjamin Gabriel General Counsel Dark Matter Group Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Part 2 of 2 On Wednesday, March 6, 2019 7:51 PM, Ryan Sleevi wrote:> >DarkMatter response to the serial number issue has demonstrated >that DarkMatter did not do the expected due diligence to investigate >and understand the issue. Your statement as Google's representative is quite disingenuous and self-serving. As a new member of the CABForum, we were not privy to the discussions for Ballot 164, and have interpreted the Baseline Requirements as they were written. We have made the necessary incident report and corrections. [1] We note that your own employer, Google, also discovered that it had the same entropy non-compliance with its serial numbers (as a result of the DarkMatter discussions highlighting it to them), and we presume that hundreds of thousands of certificate's would be affected globally (in comparison to the less than 300 impacted DarkMatter certificates).[2] Clearly the risk to users is larger in the Google case. Are you also going to accuse your employer (Google) as not having undertaken "the expected due diligence to investigate and understand the issue" that you demand from DarkMatter, and call for the same sanctions against Google that you wish to impose on DarkMatter? Does the Mozilla foundation stand by this double-standard because Google is one of its significant donors, and its default search engine? Reports indicate that in 2014, 90% of Mozilla's royalties revenue was derived from its contract with Google. We understand that the relationship persists today. [3] Transparency in a public discussion requires full disclosure and transparency from all - not just DarkMatter. >You have highlighted that you believe such articles are misleading, > but there are a number of unresponded questions to past replies > that seek to better understand. I am glad that you brought this up directly with me - and in this public discussion. Ryan, you have been one of the individuals who have been persistent in spreading this false narrative - as far back as February 2018 - during our initial submission to CABForum. We have duly noted and have been aware of your persistent attempts to interfere with our contractual relations. Your employer should know that we have had to expend considerable effort to defend against your back-room politicking, and defamatory innuendos, about the nature of our business. For the record, there are simply two (2) articles, which cite defamatory and categorically false sources, making utterly baseless allegations about DarkMatter's purpose and mission. These two narratives have been recycled repeatedly by journalists seeking a lurid and sensationalist myth-making angle on our purpose and mission. Repeating a lie ad-nauseam does not make it true. CA representatives (including the Mozilla representatives who have chosen to pre-judge DarkMatter using the same media sources ) do a great disservice to the idea of "trust" - when they persist in a concerted effort to accelerate this false narrative about DarkMatter, a commercial CA business head-quartered in the United Arab Emirates. Read my statement carefully: there are no ambiguities or loopholes in our categorical denials of any false claim made about DarkMatter in these misleading articles. These claims are baseless and have nothing to do with DarkMatter. It is very clear to us that your paternalistic dismissal of the need for regional or "local CAs" seems to indicate a hidden motivation: less CA's offering competitive services in the marketplace. Our view is clear and unambiguous: when CA's, or Root Store operators use their participation in the these process - in a manner that is intended to arbitrarily and without any valid proof, restrict or impede the inclusion of DarkMatter certificates, they are colluding to create an economic environment that is contrary to anti-trust laws. Benjamin Gabriel General Counsel Dark Matter Group Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Dear Ryan, A fair and transparent public discussion requires full disclosure of each participant's motivations and ultimate agenda. Whether in CABForum, or Mozilla-dev-security-policy, I represent the viewpoints of my employer DarkMatter and passionately believe in our unflagging efforts to provide the citizens, residents and visitors to the United Arab Emirates with the same internet security and privacy protections that are taken for granted in other parts of the world. On Wednesday, March 6, 2019 7:51 PM, Ryan Sleevi wrote: > (Writing in a personal capacity) Until such time as we have been formally advised by your employer (Google), that you no longer represent their views in CABForum, or in this Mozilla-dev-security-policy forum, we will proceed on the basis that all of your statements are the official viewpoint of your employer (Google). > I highlight this, because given the inherently global nature of the > Internet, there is no technical need to work with local CAs, and, > with a well-run root store, all CAs provide an equivalent level of > protection and security, which rests in the domain authorization We reject your paternalistic view that there is no technical need for a local United Arab Emirates CA. Our own research has determined that approximately 68% of the websites in the United Arab Emirates are not adequately protected for HTTPS traffic (double the global average). If those incumbent CA monopolies that you champion were doing such a great job globally - why such a stark difference? We are of the view that CA monopolies are inherently bad for the internet in that they unfairly exploit market power. The result is a fundamental right to Internet security and privacy being deliberately priced out of reach for a significant population of the world. We ask you, what can be more an anti-competitive monopoly than a "well run store" (read Google/Mozilla) that does not take into consideration that sovereign nations have the fundamental right to provide digital services to their own citizens, utilizing their own national root, without being held hostage by a provider situated in another nation. You should note that DarkMatter's request is also for the inclusion of UAE's national root. >DarkMatter response to the serial number issue has demonstrated >that DarkMatter did not do the expected due diligence to investigate >and understand the issue. Your statement as Google's representative is quite disingenuous and self-serving. As a new member of the CABForum, we were not privy to the discussions for Ballot 164, and have interpreted the Baseline Requirements as they were written. We have made the necessary incident report and corrections. [1] We note that your own employer, Google, also discovered that it had the same entropy non-compliance with its serial numbers (as a result of the DarkMatter discussions highlighting it to them), and we presume that hundreds of thousands of certificate's would be affected globally (in comparison to the less than 300 impacted DarkMatter certificates).[2] Clearly the risk to users is larger in the Google case. Are you also going to accuse your employer (Google) as not having undertaken "the expected due diligence to investigate and understand the issue" that you demand from DarkMatter, and call for the same sanctions against Google that you wish to impose on DarkMatter? Does the Mozilla foundation stand by this double-standard because Google is one of its significant donors, and its default search engine? Reports indicate that in 2014, 90% of Mozilla's royalties revenue was derived from its contract with Google. We understand that the relationship persists today. [3] Transparency in a public discussion requires full disclosure and transparency from all - not just DarkMatter. >You have highlighted that you believe such articles are misleading, > but there are a number of unresponded questions to past replies > that seek to better understand. I am glad that you brought this up directly with me - and in this public discussion. Ryan, you have been one of the individuals who have been persistent in spreading this false narrative - as far back as February 2018 - during our initial submission to CABForum. We have duly noted and have been aware of your persistent attempts to interfere with our contractual relations. Your employer should know that we have had to expend considerable effort to defend against your back-room politicking, and defamatory innuendos, about the nature of our business. For the record, there are simply two (2) articles, which cite defamatory and categorically false sources, making utterly baseless allegations about DarkMatter's purpose and mission. These two narratives have been recycled repeatedly by journalists seeking a lurid and sensationalist myth-making angle on our purpose and mission. Repeating a lie ad-nauseam does not make it
RE: DarkMatter Concerns
Dear Selena, On Wednesday, 6 March 2019 02:58:19 UTC+4, Selena Deckelmann wrote: > > I think what you've quoted are accurate statements. That is, recent articles > raised questions that I, and others, felt were important to bring to this > public forum to discuss. > While we welcome and are fully aligned with a public and transparent discussion, we continue to call for Mozilla representatives to conduct their discretionary powers in accordance with the principles of due process and fundamental fairness. We are in agreement that Mozilla is making good on its commitment when it brings these challenging discussion, and the articles of concern, to this public forum for an independent and unbiased discussion. However, with due respect, we believe that it is extremely prejudicial and biased when Mozilla representatives provide follow-up interviews - to the same misleading article - in order to simply state that this originally disputed “reporting is strong evidence”. It is very simple to see why DarkMatter has reasonable grounds for an apprehension of hidden bias in the Mozilla fiduciaries. > Wayne recently posted about our reasons for maintaining our own CA root > program [1] and quoted the Mozilla Manifesto which states that "Individuals' > security and privacy on the internet are fundamental and must not be treated > as optional." We agree with the Mozilla Manifesto unequivocally. Mozilla should note that a key reason why DarkMatter decided to launch a commercial CA business is because the citizens, residents and visitors to the United Arab Emirates currently do not have access to local providers who can provide them with the protections taken for granted in other parts of the world. We are fully committed to fundamental rights of the individual to security and privacy, and work diligently to advance those through all of our commercial efforts, services and products. While we are a young company, our commitment to security and privacy of the individual is a “verifiable fact” that should also be introduced into this public discussion. To secure and protect individuals who use mobile devices for communications, we have successfully launched KATIM® phone, a purpose built, mobile device based on four security pillars: hardened and tamper-resistant hardware, hardened OS with hardware-based crypto root of trust, KATIM™ secure communications suite and back-end infrastructure that, together form a unique ultra-secure system. [1] Contrary to the misleading narratives and articles being peddled by parties with a hidden agenda, we are fully committed to a secure and safer internet for all individuals everywhere. You will note that this has already been formally communicated in a letter to Mozilla by our CEO, and further shared in this public discussion. A good example of this commitment is the work our security researchers do, each and every day, to identify and disclose malicious applications that attack the security and privacy of individuals everywhere. In May, 2018, we identified and informed Google of a malicious application available on the Google play store.[2] In late 2018, we further made a responsible disclosure to Apple of a significant attack that “bypasses all native macOS security measures”, and further presented the full findings at Hack In the Box conference in Singapore. [3] As you can see, our commitment to the digital security of all individuals, whether in the United Arab Emirates or anywhere else in the world, is fully evident in our work and services to date. We are also extremely proud of all our colleagues in DarkMatter who continually affirm their commitment to security and privacy by the work they conduct on a daily basis. Our CA business unit, headed by Scott Rea, has worked diligently to meet every technical requirement for a CA, in accordance with the CABForum Baseline Requirements and EV Guidelines. This Mozilla inclusion public discussion has also allowed us to showcase our timely and expedient response when issues are identified. A good example is our lead, in how we responded in a timely manner to the concerns raised, by certain list members, with regard to entropy non-compliance of our serial numbers on the EJBCA platform. As a result, other CA’s are now alerted to the same issue that impact them – case in example being Google, who has subsequently declared their own entropy non-compliance and is now in the process of replacing and revoking certificates with 63 bit entropy serial numbers globally.[4] Again, we look forward to meeting the Mozilla representatives, and other CABForum members, at the CABForum’s F2F, and following up on any further clarifications Mozilla may need for a more public and transparent discussion. Benjamin Gabriel General Counsel, DarkMatter Group. [1] https://www.darkmatter.ae/KATIM/ [2] https://www.darkmatter.ae/blogs/darkmatter-identifies-app-stealing-personal-information/ [3]
RE: DarkMatter Concerns
Message Body (2 of 2) [... continued ..] Dear Wayne Furthermore, it is unfortunate that Mozilla have chosen to reference categorically misleading articles (and which continue to be recycled on slow-news days, on an annual basis since 2016) to support the allegation of “credible evidence”, without sharing the verifiable facts upon which Mozilla have come to this conclusion. While we do not wish to prejudice our ongoing efforts to vigorously address defamatory statements through the appropriate legal channels, in the spirit of the transparency, we will touch on each of the referenced articles below: •The Reuters and the 2016 Intercept article have been cited as “credible evidence”. They discuss allegations, events, and people that pre-date DarkMatter’s existence, and where DarkMatter is referenced it is by way of anecdotal references to false, defamatory, and unsubstantiated statements by parties who are either anonymous or peddling a hidden agenda of their own with respect to the United Arab Emirates. •Our purpose and vision are very clear, and it is publicly communicated: DarkMatter exists to enable business and governments to become smart, safe and cyber-resilient. We simply cannot comment on the allegations in the Reuters and the Intercept reports as they are about activities that we do not do, nor can we comment on facts that we are not knowledgeable about, the practices of government entities, individuals and other companies mentioned in these articles who are not associated with us. •Mozilla have further cited a categorically false and blatantly defamatory posting by one Simone Margaritelli as a “credible reference.”[2] Again we remind you of the commitment by the Mozilla foundation for decision making using “verifiable facts”. •Since we are alleged to have interviewed said individual and provided a job offer, it almost beggars belief that to-date no one has provided any evidence of such communications or participation in interviews by DarkMatter with such individual (whether abroad or in the United Arab Emirates). Such evidence does not exist – because (1) DarkMatter has never extended an offer in any capacity to such individual; (2) the persons mentioned as having granted an interview to such individual have never been employed by DarkMatter; (3) DarkMatter does not have an office in the claimed interview location. These are clear examples of categorical falsehoods – and are not “verifiable facts” upon which Mozilla can support its pre-judgment of DarkMatter. We are of the view that a fair-minded and objective observer would reasonably conclude that the public pre-judgment by Mozilla employees inclusion of the above noted allegations, especially the innuendo of the “MitM Certificates” is fatal to the idea of “due process” and “fundamental fairness” being accorded to any CA applicant to the Mozilla Root Store. In conclusion, we wish to reiterate our continued commitment to a transparent and auditable trust business. We will continue to operate our CA business in strict adherence and compliance with both the letter and spirit of relevant national laws without exception. We look forward to meeting with you, and to other CABForum members, at the CABF F2F in Cupertino, and further answer any questions that you may have with regard to this matter. Yours sincerely, Benjamin Gabriel General Counsel DarkMatter Group Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DarkMatter Concerns
Message body (1 of 2) Mozilla CA Certificate Policy Module Owner Dear Wayne, I am writing to provide an official response to the public discussion that you have initiated, on mozilla.dev.security.policy, in accordance with Article 7,1 of the Mozilla Root Store Policy, on the inclusion of DarkMatter certificates in the Mozilla Root Certificate Store. While we welcome the public discussion as a vital component in the maintenance of trust and transparency in Mozilla’s Root Store, we wish to bring to your attention, and to other esteemed CABForum members, DarkMatter’s reasonable apprehension of bias and conflict of interest in how the Mozilla organization has framed and conducted the discussion at hand. Notwithstanding the stated goal of transparency in the public discussion, recent public comments by Mozilla employees (including your opening statement in the discussion), indicate a hidden organizational animus that is fatal to the idea of “due process” and “fundamental fairness” being accorded to any CA applicant to the Mozilla Root Store. As you are fully aware, DarkMatter has spent considerable effort over the past three (3) years to establish its commercial CA and Trust related business. A key milestone has been the successful completion of two (2) Web Trust public audits verifying that DarkMatter’s CA business is operating in accordance with the standards stipulated within Mozilla Root Store Policy and the latest version of the CA/Browser Forum (“CABForum”) Requirements for the Issuance and Management of Publicly-Trusted Certificates. We have publicly disclosed our Certificate Policy and Certification Practice Statements showing how we comply with the above noted requirements. A key pillar of the Mozilla Manifesto is the “commitment to an internet that elevates critical thinking, reasoned argument, shared knowledge, and verifiable facts” and a rejection of the use of the power of the internet to “intentionally manipulate fact and reality”.[1] Notwithstanding the call for a public discussion, we note that other senior members of your organization have already pre-judged in public, DarkMatter’s ability to be “trusted” on the basis of less than reasoned arguments and verifiable facts. Marshal Erwin, director of trust and security for Mozilla, said the Reuters Jan. 30 report had raised concerns inside the company that DarkMatter might use Mozilla’s certification authority for “offensive cybersecurity purposes rather than the intended purpose of creating a more secure, trusted web.” “We don’t currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn’t already,” said Selena Deckelmann, a senior director of engineering for Mozilla.” Every CA, Root CA, National PKI operators, Governmental Regulatory bodies (in every country of the world) should be as alarmed as we are at the dystopian vision articulated by the Mozilla employees for those sovereign nations deemed not worthy of operating their own national certificates. The above comments indicate an approach that is contrary to the stated commitment of the Mozilla foundation to an “Internet that includes all the peoples of the earth – where a person demographic characteristics do not determine their online access, opportunities, or quality of experience”. It should be disturbing to the entire CABForum community that Mozilla is contemplating to exercise its discretionary power in a capricious manner – against a company headquartered in the United Arab Emirates – simply on the basis of non-existent “evidence” of a future unknown “misuse”. There simply cannot be “trust” in the discretionary power of a root store operator (whether it is Mozilla or Google), if its decision are based on something less than “verifiable facts”. In light of the above comments, we ask you, as the Mozilla CA Certificate Policy Module Owner, to further reconsider how you have framed the public discussion on DarkMatter’s inclusion request - with the following statement: “The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including the use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CA’s found to have issued MitM certificates [6][7]. We are not aware of direct evidence of missued certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already.” There is no doubt in our mind that Mozilla’s inclusion of the references to CA’s found to have issued “MitM Certificates” in the opening statement about the “rationale for distrust” of DarkMatter is extremely prejudicial in that it deliberately distorts the discussion and misinforms the public
