Re: DarkMatter Concerns

2019-12-23 Thread Ronald Crane via dev-security-policy
NYT 12/23/2019 on the ToTok spying app and DarkMatter: -- WASHINGTON — It is billed as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype. But the service, ToTok, is

Re: DarkMatter Concerns

2019-07-22 Thread Wayne Thayer via dev-security-policy
Benjamin, On behalf of Mozilla I'd like to acknowledge that your request has been received and is under review. - Wayne On Tue, Jul 16, 2019 at 12:14 PM Benjamin Gabriel via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Message Body (6 of 6) APPEAL TO MOZILLA

Finance analogies for root stores (was: Re: DarkMatter Concerns)

2019-07-22 Thread Gijs Kruitbosch via dev-security-policy
(I'm splitting the topic because at this point, continuing to discuss the analogy doesn't have a direct bearing on the inclusion or otherwise of DM) Replies inline. On 16/07/2019 23:23, Matthew Hardeman wrote: I submit that I disagree somewhat with Gijs' suggestion that Mozilla acts in the

Re: DarkMatter Concerns

2019-07-17 Thread Cynthia Revström via dev-security-policy
I would like to point out that in the recent appeal PDF posted on bugzilla showed darkmatter.ae in the footer on page 2 and onwards. This further makes me believe that there is not much separation of the entities. - Cynthia On Wed, 17 Jul 2019, 01:29 Ronald Crane via dev-security-policy, <

Re: DarkMatter Concerns

2019-07-16 Thread Ronald Crane via dev-security-policy
I have to rebut the idea that revoking trust is an adequate -- let alone an "essentially absolute" -- recourse for a CA's abuse of its authority. The fact is that an abusive CA can cause unwanted (and potentially harmful) code and data to be injected into -- and personal data to be

Re: DarkMatter Concerns

2019-07-16 Thread Matthew Hardeman via dev-security-policy
In fairness, I think Mozilla essentially stipulated that this reason was given little or no weight in the decision. Specifically Wayne Thayer noted at [1]: Some of this discussion has revolved around compliance issues, the most prominent one being the serial number entropy violations discovered

Re: DarkMatter Concerns

2019-07-16 Thread Matthew Hardeman via dev-security-policy
Hi Kathleen and community, I understand that you've made a decision w/r/t the DarkMatter CA matters and am not writing to challenge or attempt influence on those. I'm responding here only in so far as that you were "intrigued" by my comments analogizing Mozilla Root Trust store decisioning to

Re: DarkMatter Concerns

2019-07-16 Thread Nadim Kobeissi via dev-security-policy
I think it's interesting how one of the main technical arguments for denying DarkMatter's root inclusion request -- the misissuance of certificates with 63-bit identifiers instead of 64-bit identifiers, also affected Google, Apple and Godaddy, and to a much greater extent:

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (6 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Violation of Anti-Trust Laws: The Module Owner’s discretionary decision, when taken into context with the comments of other Mozilla Peers employed by other Browsers and/or competing Certificate Authorities, are intended

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (5 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Erroneous Legal Conclusions: The Module Owner’s discretionary decision was guided by an erroneous legal conclusion, when he determined that the legal ownership structure of the Applicants was insufficient to allow them to

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (4 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Discriminatory Practices; The Module Owner conducted his decision making process, and allowed the distrust discussion to proceed, in a manner contrary to the Mozilla Foundation commitment to an “Internet that includes all

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (3 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 1) Abuse of Discretionary Power: The Module Owner’s failure to consider relevant factors that should have been given significant, or equal weight, and deliberate mischaracterizations of facts intended to inflate the

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (2 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS 2) Procedural Fairness/Bias: The Module Owner’s decision making activities, and the supporting actions of other Mozilla staff, were not procedurally fair, transparent, absent of bias, nor made in good-faith. a) The

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
Message Body (1 of 6) APPEAL TO MOZILLA FOUNDATION BOARD OF DIRECTORS Mozilla Foundation Board of Directors Attention: Mitchell Baker, Executive Chairwoman Mozilla Corporation Attention: Chris Beard, CEO Attention: Denelle Dixon-Thayer, General Counsel July 16, 2019 Mozilla CA Certificate

RE: DarkMatter Concerns

2019-07-16 Thread Benjamin Gabriel via dev-security-policy
half Of Kathleen Wilson via dev-security-policy Sent: Tuesday, July 16, 2019 8:20 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DarkMatter Concerns Caution: This email originated from outside DarkMatter. Do not click links or open attachments unless you recognize the sender and bel

Re: DarkMatter Concerns

2019-07-16 Thread Kathleen Wilson via dev-security-policy
All, Thanks again to all of you who have been providing thoughtful and constructive input into this discussion. As I previously indicated [1], this has been a difficult decision to make. I have been carefully reading and contemplating the input that you all have been providing in this forum.

Re: DarkMatter Concerns

2019-07-11 Thread Gijs Kruitbosch via dev-security-policy
On 11/07/2019 03:38, Matthew Hardeman wrote: I used the parallel to racism in finance because it's exceedingly well documented that strong objective systems of risk management and decisioning led to better overall financial outcomes AND significantly opened the door to credit (aka trust) to

Re: DarkMatter Concerns

2019-07-11 Thread westmail24--- via dev-security-policy
As an ordinary user from.Russia, I am very glad that DarkMatter is rejected in this thread. If for example there are complaints about some kind of plastic surgeon, then it is better to refuse the operation than to immediately start trying on yourself having believed his documents and risking to

Re: DarkMatter Concerns

2019-07-10 Thread Matthew Hardeman via dev-security-policy
On Wed, Jul 10, 2019 at 11:43 AM Scott Rea via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Mozilla’s new process, based on its own admission, is to ignore technical > compliance and instead base its decisions on some yet to be disclosed > subjective criterion which is

Re: DarkMatter Concerns

2019-07-10 Thread Nadim Kobeissi via dev-security-policy
Dear Ryan, In outlining the two paths that I presented at the end of my previous email, I made sure to illustrate the choice between them as one that comes repeatedly -- a conscious choice that every time produces a small, incremental improvement, often through a tiresome and onerous process.

Re: DarkMatter Concerns

2019-07-10 Thread Nadim Kobeissi via dev-security-policy
Dear Ryan, Thanks very much for this very insightful email. There really is a lot that I and others don't know about how these decisions are made. The silver lining here is that we agree on where some of the gaps are in this process, and that Mozilla, Google and others are working on filling in

Re: DarkMatter Concerns

2019-07-10 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 10, 2019 at 3:17 PM Nadim Kobeissi wrote: > Many times in this discussion, we have all been offered a choice between > two paths. The first path would be to examine difficult problems and > shortcomings together and attempting to present incremental--often > onerous--improvements.

Re: DarkMatter Concerns

2019-07-10 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 10, 2019 at 2:15 PM Nadim Kobeissi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Indeed I would much rather focus on the rest of the elements in the Mozilla > Root Store Policy ( > >

Re: DarkMatter Concerns

2019-07-10 Thread Nadim Kobeissi via dev-security-policy
Dear Ryan, Thank you very much for pointing out that in the examples listed by Fabio, none of them actually control the private key. I did not know this and assumed that the opposite would be the case for at least some of the entities listed. I am indeed a new participant and I have an

Re: DarkMatter Concerns

2019-07-10 Thread Michael Casadevall via dev-security-policy
I appreciate the ground work Fabio put into this thus far, and want to see further discussion on it. I think the safest way to quantity and frame the discussion is asking if a CA (or subCA) has a vested interest in surveillance, other business interest, or government ties which would put a CA to

Re: DarkMatter Concerns

2019-07-10 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 10, 2019 at 1:07 PM Nadim Kobeissi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I would like to support the statements made by both Fabio and Scott to the > extent that if Mozilla is to go forward with this decision, then I fully > expect them to review

Re: DarkMatter Concerns

2019-07-10 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 10, 2019 at 12:29 PM fabio.pietrosanti--- via dev-security-policy wrote: > Said that, given the approach that has been following with DarkMatter > about "credible evidence" and "people safety" principles, i would strongly > argue that Mozilla should take action against the subject

Re: DarkMatter Concerns

2019-07-10 Thread Cynthia Revström via dev-security-policy
Hi Scott, Below is my personal view on it, I acknowledge that it is highly subjective. For one, people and companies in the UAE could get certs from non-UAE CAs. I live in Sweden, yet I have certs from Norwegian, British, and American CAs. Another issue I have is that I think there is a

Re: DarkMatter Concerns

2019-07-10 Thread Nadim Kobeissi via dev-security-policy
I would like to support the statements made by both Fabio and Scott to the extent that if Mozilla is to go forward with this decision, then I fully expect them to review their existing CAs and to revoke onto OneCRL every one of them that has some news report of blog post linking them to nefarious

Re: DarkMatter Concerns

2019-07-10 Thread Scott Rea via dev-security-policy
G’day Folks, DigitalTrust first learned of the Mozilla decision via Reuters. We believe this is emblematic of Mozilla’s approach to our application which appears to have been predetermined from the outset. We believe yesterday’s decision is unfair and demonstrates an anti-UAE bias where a

Re: DarkMatter Concerns

2019-07-10 Thread Nadim Kobeissi via dev-security-policy
Dear Nex, I doubt that anyone seriously believes that "reporters are lying out of their teeth." It is far more likely that the reporters are working within the realm of reason and covering things as they see them. So far all the actors in this appear to be behaving in ways that make sense

Re: DarkMatter Concerns

2019-07-10 Thread Fabio Pietrosanti via dev-security-policy
I understand the Nadim points, there's a lot of subjective biased "popular judgement". While from a security standpoint perspective "better safe than sorry" is a good statement, from a rights and fairness perspective that's a very bad. So further conversation is needed. Following DarkMatter

Re: DarkMatter Concerns

2019-07-10 Thread fabio.pietrosanti--- via dev-security-policy
I understand the Nadim points, there's a lot of subjective biased "popular judgement". While from a security standpoint perspective "better safe than sorry" is a good statement, from a rights and fairness perspective that's a very bad. So further conversation is needed. Following DarkMatter

Re: DarkMatter Concerns

2019-07-10 Thread Matthew Hardeman via dev-security-policy
Even if we stipulated that all those accounts were fully accurate, all those reports are about a separate business that happens to be owned by the same owner. Furthermore, in as far as none of those directly speak to their ability to own or manage a publicly trusted CA, I would regard those

Re: DarkMatter Concerns

2019-07-10 Thread Nex via dev-security-policy
I think that dismissing as baseless investigations from 9 different reporters, on 3 different newspapers (add one more, FP, if consider this[1]) is misleading. Additionally, it is just false to say all the articles only relied on anonymous sources (of which they have many, by the way), but there

Re: DarkMatter Concerns

2019-07-09 Thread Matthew Hardeman via dev-security-policy
On Sun, Jun 23, 2019 at 11:52 AM Cynthia Revström via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > My view is a bit different, we have lots of CAs already, I think it is more > important to be extra secure rather than to take unnecessary risks. > A position like this is

Re: DarkMatter Concerns

2019-07-09 Thread mono.riot--- via dev-security-policy
On Tuesday, July 9, 2019 at 11:46:05 PM UTC+2, Matthew Hardeman wrote: > ownership: Francisco Partners. It is difficult for me to see the > difference, objectively speaking. agree, but I think Francisco partners was ... rubbing the wrong way, too; and I think that issue was let go way too

Re: DarkMatter Concerns

2019-07-09 Thread Matthew Hardeman via dev-security-policy
On Tue, Jul 9, 2019 at 4:34 PM mono.riot--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I think it's less about a single person than about an alleged firewalling > of entities that end up being not firewalled at all, but all owned by the > same person in the end. >

Re: DarkMatter Concerns

2019-07-09 Thread mono.riot--- via dev-security-policy
On Tuesday, July 9, 2019 at 11:23:11 PM UTC+2, Matthew Hardeman wrote: > Truly horrid organizations and/or individuals passively own all kinds of > assets. A strong management team that can be trusted to keep commitments to > sound the alarm if the organization goes off track is one way to

Re: DarkMatter Concerns

2019-07-09 Thread Matthew Hardeman via dev-security-policy
On Tuesday, July 9, 2019 at 10:31:27 AM UTC-5, Wayne Thayer wrote: > DarkMatter has argued [3] that their CA business has always been operated > independently and as a separate legal entity from their security business. > Furthermore, DarkMatter states that once a rebranding effort is completed,

Re: DarkMatter Concerns

2019-07-09 Thread Nadim Kobeissi via dev-security-policy
I wanted to supplement my previous email with an observation on how this decision is already being covered by the same news outlet that are being cited in the case against DarkMatter. Reuters wrote this article:

Re: DarkMatter Concerns

2019-07-09 Thread Wayne Thayer via dev-security-policy
The bug requesting that the existing subordinate CAs be added to OneCRL is https://bugzilla.mozilla.org/show_bug.cgi?id=1564544 On Tue, Jul 9, 2019 at 8:31 AM Wayne Thayer wrote: > I would like to thank everyone for their constructive input on this > difficult issue. I would also like to thank

Re: DarkMatter Concerns

2019-07-09 Thread Nadim Kobeissi via dev-security-policy
Dear Wayne, I fully respect Mozilla's mission and I fully believe that everyone here is acting in good faith. That said, I must, in my capacity as a private individual, decry what I perceive as a dangerous shortsightedness and lack of intellectual rigor underlying your decision. I do this as

Re: DarkMatter Concerns

2019-07-09 Thread Wayne Thayer via dev-security-policy
I would like to thank everyone for their constructive input on this difficult issue. I would also like to thank DarkMatter representatives for participating in the open, public discussion. I feel that the discussion has now, after more than 4 months, run its course. The question that I originally

Re: DarkMatter Concerns

2019-06-23 Thread Cynthia Revström via dev-security-policy
My view is a bit different, we have lots of CAs already, I think it is more important to be extra secure rather than to take unnecessary risks. While I do understand that Dark Matter's focus is on the UAE, I also have to say, as far as I am aware, there are multiple CAs that will issue certs to

Re: DarkMatter Concerns

2019-06-23 Thread Nadim Kobeissi via dev-security-policy
That article doesn’t seem to say anything new about Dark Matter that hasn’t been reported before, doesn’t present evidence and doesn’t cite sources. Furthermore the article appears to allege that Dark Matter “discussed” potentially targeting The Intercept, not that it “tried to hack several of

Re: DarkMatter Concerns

2019-06-22 Thread cooperq--- via dev-security-policy
This thread hasn't been updated in a while so I'm not sure what the status is of dark matter being accepted but I thought this was a relevant update. The, US based reporting agency The Intercept recently issued a report claiming that Dark Matter has tried to hack several of their employees.

Re: DarkMatter Concerns

2019-05-15 Thread Wayne Thayer via dev-security-policy
Thank you for sharing this information Scott. On Wed, May 15, 2019 at 2:49 AM Scott Rea wrote: > > Please advise if additional information relating to this change is > required. > > As pointed out in earlier discussions about DarkMatter's QuoVadis-signed intermediates [1], and the policy 2.7

Re: DarkMatter Concerns

2019-05-15 Thread Scott Rea via dev-security-policy
G’day Folks, As previously discussed on this thread, the DarkMatter Trust Services practice (including DarkMatter CAs) has been operated in a separate entity to the DM Group, that entity is Digital Trust – Sole Proprietorship L.L.C. (“DigitalTrust”) which was established in the United Arab

Re: DarkMatter Concerns

2019-05-06 Thread galen.b.stephenson--- via dev-security-policy
Greetings, I'm basing my opinion on EFF's article (RE: https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else). I submit that EFF makes valid points and I agree with their assessment. DarkMatter appears to be a threat actor and should

Re: DarkMatter Concerns

2019-03-26 Thread rich.salz--- via dev-security-policy
> The New York Times article that you reference does not add anything new to > the misleading allegations previously published in the Reuters article. It > simply repeats ad-nauseum a false, and categorically denied, narrative about > DarkMatter, under the guise of an investigative reporting

Re: DarkMatter Concerns

2019-03-22 Thread Matthew Hardeman via dev-security-policy
I'm not sure on the weighting of the two sides that you point out, but I do broadly agree that it is about striking some balance between those two ends. That said, if all outcomes are equally bad, I think I favor the bad outcome that doesn't open the door to accusations of a discriminatory

Re: DarkMatter Concerns

2019-03-22 Thread Nadim Kobeissi via dev-security-policy
What a strange situation. On the one hand, denying DarkMatter's CA bid because of these press articles would set the precedent of refusing to accept the engagement and apparent good faith of a member of the industry, based only on hearsay and with no evidence. On the other hand, deciding to move

Re: DarkMatter Concerns

2019-03-22 Thread Wayne Thayer via dev-security-policy
On Fri, Mar 22, 2019 at 9:19 AM Benjamin Gabriel via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > On 2/24/19 11:08 AM, Nex wrote: > > > The New York Times just published another investigative report that > mentions > > DarkMatter at length, with additional testimonies

RE: DarkMatter Concerns

2019-03-22 Thread Benjamin Gabriel via dev-security-policy
Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged

RE: DarkMatter Concerns

2019-03-22 Thread Benjamin Gabriel via dev-security-policy
Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged

Re: DarkMatter Concerns

2019-03-21 Thread Nex via dev-security-policy
On 2/24/19 11:08 AM, Nex wrote: > On 2/23/19 11:07 AM, Scott Rea via dev-security-policy wrote: >> G’day Wayne et al, >> >> In response to your post overnight (included below), I want to assure you >> that DarkMatter’s work is solely focused on defensive cyber security, secure >> communications

Re: DarkMatter Concerns

2019-03-19 Thread Scott Rea via dev-security-policy
G’day Folks, It was a pleasure meeting many of the Mozilla community face to face at the CAB Forum meeting at Apple HQ last week. There are many others of you however, whose interface to the community is right here on this list, and so I wanted to share my perspective and feedback here on the

Re: DarkMatter Concerns

2019-03-08 Thread Ronald F. Guilmette via dev-security-policy
My apologies to the list for having unintentionally posted two rather different versions of the same post, one long, and one short. I had initially tried to post using the Google Groups web interface, but there was, apparently, a dramatic lag time in that post actually being relayed to the list

Re: DarkMatter Concerns

2019-03-08 Thread rfg.no.like--- via dev-security-policy
Wow! I read this whole thread from top to bottom this afternoon/evening, and all I got was a splitting headache and this lousy t-shirt: https://bit.ly/2UpZxIz But seriously folks, just a couple of simple questions. Firstly, is this a private discussion or may any member of the Great Unwashed

Re: DarkMatter Concerns

2019-03-08 Thread Ken Myers (personal capacity) via dev-security-policy
On Thursday, March 7, 2019 at 11:14:46 AM UTC-5, Matthew Hardeman wrote: > On Thu, Mar 7, 2019 at 10:10 AM Ken Myers (personal capacity) via > dev-security-policy wrote: > > > Is the issue that a Dark Matter business unit may influence the Dark > > Matter Trust Services (a separate unit, but

Re: DarkMatter Concerns

2019-03-08 Thread Jaime Hablutzel via dev-security-policy
On Thursday, March 7, 2019 at 6:35:13 PM UTC-5, Matt Palmer wrote: > On Thu, Mar 07, 2019 at 10:20:34AM -0600, Matthew Hardeman wrote: > > Let's Encrypt does not quite provide certificates to everyone around the > > world. They do prevent issuance to and revoke prior certificates for those > > on

Re: DarkMatter Concerns

2019-03-08 Thread Ronald F. Guilmette via dev-security-policy
I've read what I believe to be all of the messages in this thread to date, but it appears that I may have missed something. The word "transparency" and/or derivatives thereof has come up several times in this thread. Also, that same word, or derivatives thereof, was/were included no fewer than

Re: DarkMatter Concerns

2019-03-07 Thread Jaime Hablutzel via dev-security-policy
On Thursday, March 7, 2019 at 1:27:42 PM UTC-5, Kristian Fiskerstrand wrote: > On 3/7/19 6:59 PM, Jaime Hablutzel via dev-security-policy wrote: > > So the following holds true and (from my point of view) very critical > > indeed. Quoting Benjamin Gabriel: > > > >> ...that sovereign nations have

Re: DarkMatter Concerns

2019-03-07 Thread Jaime Hablutzel via dev-security-policy
On Thursday, March 7, 2019 at 10:17:21 AM UTC-5, Ryan Sleevi wrote: > On Thu, Mar 7, 2019 at 9:52 AM Jaime Hablutzel via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I would just like to remind you all the universally accepted concept of > > "Presumption of

Re: DarkMatter Concerns

2019-03-07 Thread Matt Palmer via dev-security-policy
On Thu, Mar 07, 2019 at 05:30:24PM -0600, Matthew Hardeman wrote: > On Thu, Mar 7, 2019 at 5:14 PM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > Whilst those are all good points, I don't see how any of them require the > > CA > > to control an

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 5:35 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > In the face of exterior political force, the people of the UAE couldn't get > *globally trusted* certificates full-stop. Off the top of my head, all of > the widely-adopted web

Re: DarkMatter Concerns

2019-03-07 Thread Matt Palmer via dev-security-policy
On Thu, Mar 07, 2019 at 10:20:34AM -0600, Matthew Hardeman wrote: > Let's Encrypt does not quite provide certificates to everyone around the > world. They do prevent issuance to and revoke prior certificates for those > on the United States various SDN (specially designated nationals) lists. >

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 5:14 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Whilst those are all good points, I don't see how any of them require the > CA > to control an unconstrained intermediate CA certificate (or a root > certificate). All of those

Re: DarkMatter Concerns

2019-03-07 Thread Matt Palmer via dev-security-policy
On Thu, Mar 07, 2019 at 04:59:16PM +, Scott Rea via dev-security-policy wrote: > I am committed to a respectful dialogue, and I too (as others have already > suggested here) would appreciate clear and definitive criteria in respect > to what Mozilla requires to enable DM Trust Services to

Re: DarkMatter Concerns

2019-03-07 Thread Matt Palmer via dev-security-policy
On Thu, Mar 07, 2019 at 03:39:46AM -0800, nadim--- via dev-security-policy wrote: > I think we're all choosing to kid ourselves here if we continue to say > that the underlying impetus for this discussion isn't primarily > sociopolitical. You're free to think whatever you like. You're *wrong*,

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 11:55 AM Wayne Thayer wrote: This line of thinking seems to conflate a few different issues. > That is true. I apologize for that, but also feel that some of these different issues and how they'd play out in relation with this current matter and ultimately with the

Re: DarkMatter Concerns

2019-03-07 Thread Matt Palmer via dev-security-policy
On Wed, Mar 06, 2019 at 08:56:47PM -0800, astronut--- via dev-security-policy wrote: > Setting aside the discussion about DarkMatter specifically, here are some > ways in which having a CA in a new jurisdiction that isn't currently > represented in the ecosystem can bring value: > > * Allow users

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 11:33 AM Wayne Thayer wrote: > Nadim and Matthew, > > Can you explain and provide examples for how this "set of empirical > requirements" differs from the objective requirements that currently exist? > Hi, Wayne, I think the matter of whether or not I could or should

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 11:29 AM James Burton wrote: > I'm talking about someone from a restricted country using a undocumented > domain name to obtain a Let's Encrypt certificate and there is nothing that > can be done about it. We can't predict the future. > So your assertion, then, is that

Re: DarkMatter Concerns

2019-03-07 Thread Kristian Fiskerstrand via dev-security-policy
On 3/7/19 6:59 PM, Jaime Hablutzel via dev-security-policy wrote: > So the following holds true and (from my point of view) very critical > indeed. Quoting Benjamin Gabriel: > >> ...that sovereign nations have the fundamental right to provide >> digital services to their own citizens, utilizing

Re: DarkMatter Concerns

2019-03-07 Thread Jaime Hablutzel via dev-security-policy
On Thursday, March 7, 2019 at 12:30:03 PM UTC-5, James Burton wrote: > I'm talking about someone from a restricted country using a undocumented > domain name to obtain a Let's Encrypt certificate and there is nothing that > can be done about it. Until they get caught and their certificates

Re: DarkMatter Concerns

2019-03-07 Thread Jaime Hablutzel via dev-security-policy
On Thursday, March 7, 2019 at 11:20:54 AM UTC-5, Matthew Hardeman wrote: > On Thu, Mar 7, 2019 at 4:20 AM James Burton via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > There isn't any monopoly that prevents citizens and organizations in the > > United Arab

Re: DarkMatter Concerns

2019-03-07 Thread Wayne Thayer via dev-security-policy
On Thu, Mar 7, 2019 at 9:20 AM Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > What the people of the UAE don't have today is the ability to acquire > globally trusted certificates from a business in their own legal > jurisdiction who would be able to

Re: DarkMatter Concerns

2019-03-07 Thread Wayne Thayer via dev-security-policy
Nadim and Matthew, Can you explain and provide examples for how this "set of empirical requirements" differs from the objective requirements that currently exist? Nadim, your latest suggestion sounds different from your earlier suggestion that Mozilla provide a "set of unambiguous statements for

Re: DarkMatter Concerns

2019-03-07 Thread James Burton via dev-security-policy
I'm talking about someone from a restricted country using a undocumented domain name to obtain a Let's Encrypt certificate and there is nothing that can be done about it. We can't predict the future. Thank you, Burton On Thu, Mar 7, 2019 at 5:23 PM Matthew Hardeman wrote: > > On Thu, Mar 7,

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 11:11 AM James Burton wrote: > Let's be realistic, anyone can obtain a domain validated certificate from > Let's Encrypt and there is nothing really we can do to prevent this from > happening. Methods exist. > I am continuing to engage in this tangent only in as far as it

Re: DarkMatter Concerns

2019-03-07 Thread James Burton via dev-security-policy
Let's be realistic, anyone can obtain a domain validated certificate from Let's Encrypt and there is nothing really we can do to prevent this from happening. Methods exist. Thank you, Burton On Thu, Mar 7, 2019 at 4:59 PM Matthew Hardeman wrote: > > On Thu, Mar 7, 2019 at 10:54 AM James

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 10:54 AM James Burton wrote: > Let's Encrypt issues domain validation certificates and anyone with a > suitable domain name (e.g. .com, .net, .org ) can get one of these > certificates just by proving control over the domain by using the DNS or " >

Re: DarkMatter Concerns

2019-03-07 Thread Scott Rea via dev-security-policy
G’day Folks, My apologies, I have been airborne without connectivity and it appears I have a LOT of dialogue to catch up on. At DarkMatter, we are passionate about what we do (as I know most folks contributing here are also - just by very nature of the time and effort taken to engage). The

Re: DarkMatter Concerns

2019-03-07 Thread James Burton via dev-security-policy
I mean country location of the individual doesn't matter. They could be for example be using a VPN to connect to Google Cloud instance and get a certificate that way. Thank you, Burton On Thu, Mar 7, 2019 at 4:53 PM James Burton wrote: > Let's Encrypt issues domain validation certificates and

Re: DarkMatter Concerns

2019-03-07 Thread James Burton via dev-security-policy
Let's Encrypt issues domain validation certificates and anyone with a suitable domain name (e.g. .com, .net, .org ) can get one of these certificates just by proving control over the domain by using the DNS or " /.well-known/pki-validation" directory as stated in the CAB Forum baseline

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 10:20 AM Matthew Hardeman wrote: > > Let's Encrypt does not quite provide certificates to everyone around the > world. They do prevent issuance to and revoke prior certificates for those > on the United States various SDN (specially designated nationals) lists. > For

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 4:20 AM James Burton via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > There isn't any monopoly that prevents citizens and organizations in the > United Arab Emirates to get certificates from CAs and they are not > expensive. Let's Encrypt provides

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 10:10 AM Ken Myers (personal capacity) via dev-security-policy wrote: > Is the issue that a Dark Matter business unit may influence the Dark > Matter Trust Services (a separate unit, but part of the same company) to > issue certificates for malicious purposes? > > or is it

Re: DarkMatter Concerns

2019-03-07 Thread Matthew Hardeman via dev-security-policy
On Thu, Mar 7, 2019 at 9:18 AM nadim--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I would like to repeat my call for establishing a set of empirical > requirements that take into account the context of DarkMatter's current > position in the industry as well as

Re: DarkMatter Concerns

2019-03-07 Thread Ken Myers (personal capacity) via dev-security-policy
Is the issue that a Dark Matter business unit may influence the Dark Matter Trust Services (a separate unit, but part of the same company) to issue certificates for malicious purposes? or is it a holistic corporate ethics issue (in regards to Mozilla community safety) of a Mozilla-trusted

Re: DarkMatter Concerns

2019-03-07 Thread Nadim Kobeissi via dev-security-policy
On Thu, Mar 7, 2019, 4:29 PM Ryan Sleevi wrote: > > On Thu, Mar 7, 2019 at 10:18 AM nadim--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I think we're all choosing to kid ourselves here if we continue to say >> that the underlying impetus for this discussion

Re: DarkMatter Concerns

2019-03-07 Thread Ryan Sleevi via dev-security-policy
On Thu, Mar 7, 2019 at 10:18 AM nadim--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I think we're all choosing to kid ourselves here if we continue to say > that the underlying impetus for this discussion isn't primarily > sociopolitical. The sooner an end is put to

Re: DarkMatter Concerns

2019-03-07 Thread Peter Bowen via dev-security-policy
On Thu, Mar 7, 2019 at 12:09 AM Benjamin Gabriel via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > A fair and transparent public discussion requires full disclosure of each > participant's motivations and ultimate agenda. Whether in CABForum, or >

Re: DarkMatter Concerns

2019-03-07 Thread nadim--- via dev-security-policy
I would like to repeat my call for establishing a set of empirical requirements that take into account the context of DarkMatter's current position in the industry as well as their specific request for the inclusion of a specific root CA. While I don't necessarily fully support the method with

Re: DarkMatter Concerns

2019-03-07 Thread Ryan Sleevi via dev-security-policy
On Thu, Mar 7, 2019 at 9:52 AM Jaime Hablutzel via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I would just like to remind you all the universally accepted concept of > "Presumption of innocence". Quoting from > https://en.wikipedia.org/wiki/Presumption_of_innocence: > >

DarkMatter Concerns

2019-03-07 Thread jeff--- via dev-security-policy
This thread is full of strong policy reasons why DarkMatter’s intermediates should no longer be trusted. Those reasons alone would be enough for expeditious action. The risks to users discovered from recent reporting reinforces them. I hope we don’t see too long of a delay before the root

Re: DarkMatter Concerns

2019-03-07 Thread astronut--- via dev-security-policy
[Writing in a personal capacity, these views do not represent those of my employer] On Wednesday, March 6, 2019 at 7:51:21 AM UTC-8, Ryan Sleevi wrote: > > As it relates to TLS certificates, which is the purpose of discussion for > this root inclusion, could you highlight or explain why

DarkMatter Concerns

2019-03-07 Thread racingtree--- via dev-security-policy
Thanks Wayne, This comment is made entirely in my personal capacity, and should not be assumed to reflect the views of my employer... Upfront disclaimer: I don’t think I have an answer, but I hope I can help define the problem. Your question takes me back to the early days of CAs, when it

  1   2   3   >