On Tue, Mar 5, 2019 at 8:16 AM Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > You're right, there is no test. That's why some of us believe we should > look at proxies: such as honesty, considering root membership is ultimately > about trust. DM has made claims that I am unable to understand in any way > besides lying. > > Unless the lies are material and relate to their CA operations, I don't think it's relevant. One has to approach these stories with skepticism. Bloomberg is regarded as reputable, but look at the SuperMicro case. If there are provable commissions of dishonest behavior material to the operations of the CA, I would think these would have been offered up by now. > As you are well aware, there is a neighboring claim that _is_ accurate. > Which is that a malicious root CA would be able to issue for any domain, > and thus issue certificates to enable MITM. While it is misleading to say > that DM would be able to decrypt all customer data, it's completely true > that DM would be able to MITM _any_ TLS traffic -- customer or not! > > And yet many tiny CAs exist, and if we look at the economics of CAs today, some of them must be struggling. If this were their [DarkMatter's] intent, rather than establishing a long term service, wouldn't they just buy up one of those and delay the disclosure? If we're assuming that their nefarious presumptive interception demanding client is the national government of the UAE, it's clear that there's plenty of cash to do just that. With that kind of money, you don't really even need to buy up a tiny CA. You could likely just purchase the very integrity of the operators of one. > Do you believe there is _any_ outside activity a CA could engage in, while > still maintaing clean audits, that should disqualify them for membership in > the Mozilla Root Program? > Personally, I think the value of the audits is rather limited, but it does catch some things and remains a good safety. Certificate Transparency has done a great deal to improve this space and is, going forward, an even more valuable check on corruption. Objections to DarkMatter on the sole basis of the actions of a sibling business with common owners is dangerous turf to get into, if we care about historic precedent. Not only for corporate MITM but for straight-up malware as well. Until quite recently the operation presently called Sectigo was called Comodo and for a not brief period was owned by Francisco Partners, an organization which also owns/owned the NSO Group. Additionally, and before Symantec would ultimately be untrusted for entirely unrelated reasons, Symantec owned BlueCoat. This means there are two recent precedents for which this category of issues has not resulted in delegation of trust and one proposal that the same category of behaviors should. I am not suggesting that a position against DarkMatter on this basis is an indicator of xenophobia or bias against a particular national affiliation, but I do wonder how one would defend against such an accusation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
