On Fri, Feb 22, 2019, at 16:21, Wayne Thayer via dev-security-policy wrote: > Despite the lack of > direct evidence of misissuance by DarkMatter, this may be a time when we > should use our discretion to act in the interest of individuals who rely on > our root store.
It's worth noting that DarkMatter has already been documented to have misissued certificates, though not in a way that is obviously for malicious purposes. 1) As discovered by Rob Stradling[1], they issued at least two certificates with a CN that was not included in the SAN extension. An incident report was requested[2], but I was unable to find it in Bugzilla or on this mailing list. 2) https://crt.sh/?id=271084003&opt=zlint - This certificate has an invalid domain `apiuat.o`. I'm not aware of prior discussion about this. With regards to the broader question, I believe that DarkMatter's alleged involvement with hacking campaigns is incompatible with operating a trustworthy CA. This combined with the existing record of apparent incompetence by DarkMatter (compare the inclusion bugs for other recently approved CAs for contrast), makes me believe that the approval request should be denied and the existing intermediates revoked via OneCRL. I don't see how approving them, or the continued trust in their intermediates, would be in the interests of Mozilla's users or compatible with the Mozilla Manifesto. Jonathan [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c29 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c32 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
