On Tue, Mar 5, 2019 at 12:18 PM Ryan Sleevi <r...@sleevi.com> wrote: > > I believe you may have misunderstood the details of these incidents and > their relationship to what's currently under discussion. > > In the Sectigo + NSO Group, these were entities that shared common > investment ownership, but otherwise operated as distinct business entities. > In the Symantec + BlueCoat, these were integrated organizations - and the > concern was raised about ensuring that the entity BlueCoat did not have > access to the key material operated by the Symantec entity. In this case, > the Symantec entity asserted that the keys, operations, and audits were > under its scope - BlueCoat was prevented from having access or control. [1] > > Both of those cases acknowledged a potential of conflicting interests, and > worked to distinguish how those conflicting interests would not conflict > with the community needs or goals. > > By comparison, the discussion around DarkMatter has been more similar to > the discussion of Symantec rather than Sectigo, except DarkMatter has > issued carefully worded statements that may, to some, appear to be denials, > while to others, suggest rather large interpretative loopholes. This, > combined with the interpretative issues that have been shown throughout the > inclusion process - for which the serial numbers are merely the most recent > incident, but by no means the first, raises concerns that there may be > interpretative differences in the nature of the statements provided or the > proposed guarantees. This seems like a reasonable basis of concern. Recall > when TrustWave provided a similar creative interpretation regarding a MITM > certificate it issued for purposes of "local" traffic inspection [2][3], > attempting to claim it was not a BR violation. Or recall that Symantec made > similar claims that the 30,000+ certificates that it could not demonstrate > adhered to the BRs were somehow, nevertheless, not "misissued" [4] - as if > the point of concern was the semantic statement of misissuance, rather than > the systemic failure of the controls and the resulting lack of assurance. >
I do acknowledge the difference here, and I appreciate your bringing this particular concern to my attention. As always, your depth of knowledge and experience in the evolution of this area is astounding. I suppose my initial response to the concern as presented is that it would seem to be a fairly trivial (just paperwork, really) matter for DarkMatter (or indeed any other applicant) to separate the CA into a fully separate legal entity with common ownership interest with any other business they may currently have going on. I put forth the question as to whether or not the assurances you reference and the legal structuring you note are an actual, effective risk mitigation. I see two elements in this which might be said to be the real underlying risk mitigation: 1. The legal structure and common ownership is truly the safety mechanism. I find this...tenuous. I'm not sure any piece of paper ever really kept a bad actor from acting bad. This seems very much like "Meet the new boss [who's wholly owned by the old boss], same as the old boss." In essence, I think if the matter on which the trust hangs is slightly different nuances to first party assertions, that this is so thin and consequence free in the violation that I regard it as not really material. 2. Maybe the real risk mitigation is self-interested asset appreciation / asset protection. What I mean by this is that quite simply the ownership of a hypothetical CA and a hypothetical "bad business" -- however we define it but construed such that the "bad business" has an apparent conflict in that they'd like to abuse their owner's CA's trust -- will act to defend their business interest (in this case the value of each of the business segments) by preventing one of their business segments from destroying the continued value of the other segment. (We can agree, I believe, that a CA that no one trusts has essentially no value.) It's pretty clear that I put more faith in a business' "greedy" self-interest than I do in legal entity paperwork games. Which, I believe, raises an intriguing concept. What if the true test of a CA's trustworthiness is, in fact, a mutually understandable apparent value build / value preservation on a standalone basis of the asset that is the CA? In other words, maybe we can only trust a CA whose value proposition to the ownership we can reasonably understand from the perspective of the ownership, if we limit that value only to the value that can be derived in a fully-legitimate use of the CA determined as a going value of the CA from a fully standalone basis in addition to the value of the CA in the overall scope of the larger business, constrained to only the legitimate synergies that may arise. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy