The recent Reuters report on DarkMatter [1] has prompted numerous questions about their root inclusion request [2]. The questions that are being raised are equally applicable to their current status as a subordinate CA under QuoVadis (recently acquired by DigiCert [3]), so it seems appropriate to open up a discussion now. The purpose of this discussion is to determine if Mozilla should distrust DarkMatter by adding their intermediate CA certificates that were signed by QuoVadis to OneCRL, and in turn deny the pending root inclusion request.
The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CAs found to have issued MitM certificates [6][7]. We are not aware of direct evidence of misused certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already. Mozilla’s Root Store Policy [8] grants us the discretion to take actions based on the risk to people who use our products. Despite the lack of direct evidence of misissuance by DarkMatter, this may be a time when we should use our discretion to act in the interest of individuals who rely on our root store. I would greatly appreciate everyone's constructive input on this issue. - Wayne [1] https://www.reuters.com/investigates/special-report/usa-spying-raven/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/hicp7AW8sLA/KUSn20MrDgAJ [4] https://www.evilsocket.net/2016/07/27/How-The-United-Arab-Emirates-Intelligence-Tried-to-Hire-me-to-Spy-on-its-People/ [5] https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ [6] https://groups.google.com/d/msg/mozilla.dev.security.policy/czwlDNbwHXM/Fj-LUvhVQYEJ [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 [8] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy