Re: DarkMatter Concerns

2019-03-07 Thread nadim--- via dev-security-policy 
I would like to repeat my call for establishing a set of empirical requirements 
that take into account the context of DarkMatter's current position in the 
industry as well as their specific request for the inclusion of a specific root 
CA.

While I don't necessarily fully support the method with which Benjamin chose to 
address Ryan's contributions to the discussion so far, I think we're all 
choosing to kid ourselves here if we continue to say that the underlying 
impetus for this discussion isn't primarily sociopolitical. The sooner an end 
is put to this, the better.

The right thing to do, right now, is for there to be a documented process 
through which a set of empirical, falsifiable, achievable requirements are set 
by either Mozilla, the CABForum, or both, for DarkMatter to fulfill so that 
they can be considered for inclusion. If these requirements are (1) defined 
fairly and (2) achieved by DarkMatter verifiably, then great. Otherwise, too 
bad.

It is my humble belief that any alternative course of action is a further 
descent into distraction.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DarkMatter Concerns

2019-03-06 Thread nadim--- via dev-security-policy 
On Tuesday, March 5, 2019 at 7:18:39 PM UTC+1, Ryan Sleevi wrote:
> On Tue, Mar 5, 2019 at 12:11 PM Matthew Hardeman via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> 
> By comparison, the discussion around DarkMatter has been more similar to
> the discussion of Symantec rather than Sectigo, except DarkMatter has
> issued carefully worded statements that may, to some, appear to be denials,
> while to others, suggest rather large interpretative loopholes. This,
> combined with the interpretative issues that have been shown throughout the
> inclusion process - for which the serial numbers are merely the most recent
> incident, but by no means the first, raises concerns that there may be
> interpretative differences in the nature of the statements provided or the
> proposed guarantees. This seems like a reasonable basis of concern. Recall
> when TrustWave provided a similar creative interpretation regarding a MITM
> certificate it issued for purposes of "local" traffic inspection [2][3],
> attempting to claim it was not a BR violation. Or recall that Symantec made
> similar claims that the 30,000+ certificates that it could not demonstrate
> adhered to the BRs were somehow, nevertheless, not "misissued" [4] - as if
> the point of concern was the semantic statement of misissuance, rather than
> the systemic failure of the controls and the resulting lack of assurance.
> 
> In this regard, there is at least precedent that such interpretative
> differences do not bode well.

Perhaps it would be helpful for Mozilla to posit a set of unambiguous 
statements for which it would require DarkMatter to categorically and fully 
deny. The goal of doing so would be to quell any potential "interpretative 
loopholes" within DarkMatter's denials. That could be a way for moving parts of 
this discussion solidly forward.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy