I understand the Nadim points, there's a lot of subjective biased "popular judgement".
While from a security standpoint perspective "better safe than sorry" is a good statement, from a rights and fairness perspective that's a very bad. So further conversation is needed. Following DarkMatter removal i would love to bring to the attention of Mozilla the removal of a list of Companies that does as a main business other stuff, but also does offensive security and surveillance with public "credible evidences" . I've analysed Intermediate CA list where DarkMatter is here https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts . In this list is possible to find the following company operating against "people's safety" and there's "credible evidences" they are doing so: * Saudi Telecom Company This company is publicly known to ask to surveil and intercept people as per "credible evidences" on: https://moxie.org/blog/saudi-surveillance/ https://citizenlab.ca/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ * German Rohde & Schwarz This company do produce, install and support surveillance systems for intelligence agencies in Regimes such as Turkmenistan: https://www.rferl.org/a/german-tech-firm-s-turkmen-ties-trigger-surveillance-concerns/29759911.html They sell solutions to intelligence agencies such as IMSI Catchers and massive internet surveillance tools: https://www.rohde-schwarz.com/en/solutions/aerospace-defense-security/overview/aerospace-defense-overview_229832.html * US "Computer Sciences Corporation" The CSC is a US Intelligence and Defense Contractors that does CNE (Computer Network Exploitation) like the WikiLeaks ICWatch show out Read the profile of a former employee of CSC, doing CNE like Snowden was doing: https://icwatch.wikileaks.org/docs/rLynnette-Jackson932c7871cb1e83f3%3Fsp=0ComputerSciencesCorporationCyberSecurityAnalystSystemsEngineerRemoteSystemAdministrator2008-09-01icwatch_indeed Additionally from their wikipedia they acknowledge working for US Intel: https://en.wikipedia.org/wiki/Computer_Sciences_Corporation CSC provided services to the United States Department of Defense,[23] law enforcement and intelligence agencies (FBI,[24] CIA, Homeland Security[23]), aeronautics and aerospace agencies (NASA). In 2012, U.S. federal contracts accounted for 36% of CSC total revenue.[25] * Australia's Attorney-General's Department The Australia's Attorney-General's Department is a government agencies that wants to permit the Australian Security Intelligence Organisation (ASIO) to hack IT systems belonging to non-involved, non-targeted parties. It operate against people safety and there's credible evidence of their behaviour in supporting ASIO to hack people, so they are very likely to abuse their intermediate CA: http://www.h-online.com/security/news/item/Australian-secret-services-to-get-licence-to-hack-1784139.html * US "National Geospatial-Intelligence Agency" https://www.nga.mil The NGA is a US Military Intelligence Agency, equivalent to NSA, but operating on space GEOINT and SIGINT in serving intelligence and defense US agencies. NGA is the Space partner of NSA: https://www.nsa.gov/news-features/press-room/Article/1635467/joint-document-highlights-nga-and-nsa-collaboration/ I think that no-one would object to shutdown an NSA operated Intermediate CA, i am wondering if Mozilla would consider this removal. Said that, given the approach that has been following with DarkMatter about "credible evidence" and "people safety" principles, i would strongly argue that Mozilla should take action against the subject previously documented. I will open a thread on those newsgroup for each of those company to understand what's the due process and how it will compare to this. Fabio Pietrosanti (naif) Il giorno martedì 9 luglio 2019 18:19:36 UTC+2, Nadim Kobeissi ha scritto: > Dear Wayne, > > I fully respect Mozilla's mission and I fully believe that everyone here is > acting in good faith. > > That said, I must, in my capacity as a private individual, decry what I > perceive as a dangerous shortsightedness and lack of intellectual rigor > underlying your decision. I do this as someone with a keen interest in > Internet freedom issues and not as someone who is in any way partisan in > this debate: I don't care for DarkMatter as a company in any way whatsoever > and have no relationship with anyone there. > > I sense enough urgency in my concerns to pause my work schedule today and > respond to this email. I will do my best to illustrate why I sense danger > in your decision. Essentially there are three specific points I take issue > with: > > ----------------- > 1: Waving aside demands for objective criteria. > ----------------- > You say that "if we rigidly applied our existing criteria, we would deny > most inclusion requests." Far from being an excuse to put more weight (or > in this case, perhaps almost all weight) on subjective decision making, > this should be a rallying cry for Mozilla to investigate why it is that an > objective and democratic decision-making process is failing, and what can > be done to make it work better. Waving aside objective procedures as > "checklists" dismisses a core procedural element of how such critical > decisions should be made in the future and is explicitly undemocratic and > therefore dangerous. > > ----------------- > 2: Calling allegations "credible" and "extensively sourced" with almost no > basis whatsoever. > ----------------- > You cite four articles: two are from the Intercept, one is from Reuters and > one is from the New York Times. You claim that the fact that they are years > apart bolsters their credibility; why is this the case? In fact, these > articles all parrot almost exactly the same story, with some minor > additions, updates and modifications. They all almost read like the same > article, despite their temporal distribution. Furthermore, the notion that > the articles are "extensively sourced" is simply incorrect: all of the > articles are based on anonymous sources and none of them provide a shred of > evidence, which is why we are in this debate to begin with (or so I've been > thinking). > > It should also be noted that both The Intercept and the New York Times have > published misleading and incorrect information many times in their history. > The Intercept in particular has a very spotty credibility record. > > It is also is not difficult to theorize how a politically trendy topic > (cyberattacks) against the world's most easy-to-villainize company (an > Arabic offensive cybersecurity company operating within a true monarchic > state) would be appealing to American journalists. This sort of thing isn't > new, and American "digital rights" groups have previously linked malicious > cyberattacks to Middle Eastern countries without providing something that > is even close to the same standard of evidence that they almost always > provide when naming American or European actors. > > Is is indeed unfortunate that this issue was dealt with in a single > paragraph: I would have expected it to be the brunt of the email given its > importance, and it is impossible to qualify that reporting as "credible" > and "extensively sourced" so summarily. > > ----------------- > 3: Culminating in an argument that simply boils down to "the people's > safety", a trope that is often overused and that leads to undemocratic > behavior. > ----------------- > > We don't know if DarkMatter is an evil spying empire that doesn't care > about the rights and dignity of private citizens or not. We don't know if > they're setting up shell companies to mislead Mozilla's CA vetting > procedures or not. In fact, it's been months where no new information has > arisen and I would like to repeat that I do not _at all_ discount the > possibility that all of the allegations may turn out to be completely true. > > But instead of making effort towards resolving this uncertainty, or, in > case that's not possible, create procedures to deal with it, we see it > being wielded in order to increase the subjectivity of the decision making > that gatekeeps some of the most fundamental issues of Internet security and > to legitimize shoddy thinking. > > Individually, your apparent decision against DarkMatter doesn't bother me. > It is the decision making process itself however that risks setting a > dangerous precedent that is already taking shape in other parts of the tech > community, where major decisions are predicated on gut feeling and notions > of safety that are almost by design impossible to elucidate, and where > much-needed objectivity, vetting and reasoned behavior is relegated to > one-shot paragraphs that barely come with an apology. > > In conclusion: perhaps it is exactly because DarkMatter are so incredibly > easy to demonize that we are so temporarily blind to an infinitely more > dangerous and terrifying lapse of judgement: one that may come from much > closer to home. I don't mind if DarkMatter loses out here, but I urge you > to self-reflect critically on what this decision may constitute in terms of > a future trend. > > Presented with the utmost respect and good faith, > > Yours sincerely, > > Nadim Kobeissi > Symbolic Software • https://symbolic.software > Sent from office > > > On Tue, Jul 9, 2019 at 5:31 PM Wayne Thayer <wtha...@mozilla.com> wrote: > > > I would like to thank everyone for their constructive input on this > > difficult issue. I would also like to thank DarkMatter representatives for > > participating in the open, public discussion. I feel that the discussion > > has now, after more than 4 months, run its course. > > > > The question that I originally presented [1] to this community was about > > distrusting DarkMatter’s current intermediate CA certificates (6 total) > > based on credible evidence of spying activities by the company. While a > > decision to revoke trust in these intermediates would likely result in a > > denial of DarkMatter’s root inclusion request [2], the public discussion > > for that request has not yet begun. A decision not to revoke these > > intermediates does not necessarily mean that the inclusion request will be > > approved. > > > > Some of this discussion has revolved around compliance issues, the most > > prominent one being the serial number entropy violations discovered by > > Corey Bonnell. While these issues would certainly be a consideration when > > evaluating a root inclusion request, they are not sufficient to have > > triggered an investigation aimed at revoking trust in the DarkMatter > > intermediates or QuoVadis roots. Therefore, they are not relevant to the > > question at hand. > > > > Much of the discussion has been about the desire for inclusion and distrust > > decisions to be made based on objective criteria that must be satisfied. > > However, if we rigidly applied our existing criteria, we would deny most > > inclusion requests. As I stated earlier in this thread, every distrust > > decision has a substantial element of subjectivity. One can argue that > > we’re discussing a different kind of subjectivity here, but it still > > amounts to a decision being made based on a collective assessment of all > > the information at hand rather than a checklist. > > > > Some, including DarkMatter representatives [3], have declared the need to > > examine and consider the benefits of having DarkMatter as a trusted CA. > > However, last year we changed our policy to replace the weighing of > > benefits and risks with “based on the risks of such inclusion to typical > > users of our products.” [4] > > > > Perhaps the most controversial element in this discussion has been the > > consideration of “credible evidence”. The first component is the inherent > > uncertainty over what is “credible”, especially in this day and age. While > > it has been pointed out that respected news organizations are not beyond > > reproach [5], having four independent articles [6][7][8][9] from reputable > > sources published years apart does provide some indication that the > > allegations are credible. These articles are also extensively sourced. > > > > If we assume for a second that these allegations are true, then there is > > still a sincere debate over what role they should play in our decision to > > trust DarkMatter as a CA. The argument for considering these allegations is > > akin to the saying “where there’s smoke there’s fire”, while the argument > > against can be described as “innocent until proven guilty”. > > > > DarkMatter has argued [3] that their CA business has always been operated > > independently and as a separate legal entity from their security business. > > Furthermore, DarkMatter states that once a rebranding effort is completed, > > “the DarkMatter CA subsidiary will be completely and wholly separate from > > the DarkMatter Group of companies in their entirety.” However, in the same > > message, DarkMatter states that “Al Bannai is the sole beneficial > > shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al > > Bannai would remain the sole owner of the CA business. More recently, > > DarkMatter announced that they are transitioning all aspects of the > > business to DigitalTrust and confirmed that Al Bannai controls this entity. > > This ownership structure does not assure me that these companies have the > > ability to operate independently, regardless of their names and legal > > structure. > > > > Mozilla’s principles should be at the heart of this decision. “The Mozilla > > Manifesto [10] states: > > > > Individuals’ security and privacy on the internet are fundamental and must > > not be treated as optional.” > > > > And our Root Store policy states: “We will determine which CA certificates > > are included in Mozilla's root program based on the risks of such inclusion > > to typical users of our products.” > > > > In other words, our foremost responsibility is to protect individuals who > > rely on Mozilla products. I believe this framing strongly supports a > > decision to revoke trust in DarkMatter’s intermediate certificates. While > > there are solid arguments on both sides of this decision, it is reasonable > > to conclude that continuing to place trust in DarkMatter is a significant > > risk to our users. I will be opening a bug requesting the distrust of > > DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also > > recommend denial of the pending inclusion request, and any new requests > > from DigitalTrust. > > > > In the past, we’ve seen CAs attempt to make an end run around adverse trust > > decisions - through an acquisition, a shell company, etc. We will treat any > > such attempt as a violation of this decision and act accordingly. Mozilla > > does welcome DigitalTrust as a “managed” subordinate CA under the oversight > > of an existing trusted CA that retains control of domain validation and the > > private keys. > > > > This discussion has highlighted an opportunity to improve our review of new > > externally-operated subordinate CAs [11]. This issue [12] is part of the > > current policy update discussions. > > > > Wayne > > > > [1] > > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 > > [3] > > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/mJ0EV2eoCgAJ > > [4] > > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/58F6FgeGOz8/Zzb-r76wBQAJ > > [5] > > > > https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ > > [6] > > > > https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ > > [7] https://www.reuters.com/investigates/special-report/usa-spying-raven/ > > [8] > > > > https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html > > [9] https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/ > > [10] https://www.mozilla.org/en-US/about/manifesto/ > > [11] > > > > https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits > > [12] https://github.com/mozilla/pkipolicy/issues/169 > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
