Hi! Just wanted to briefly comment in response to Benjamin Gabriel's statement.
On Tuesday, March 5, 2019 at 7:07:51 AM UTC-8, Benjamin Gabriel wrote: > Marshal Erwin, director of trust and security for Mozilla, said the Reuters > Jan. 30 report had raised concerns inside the company that DarkMatter might > use Mozilla’s certification authority for “offensive cybersecurity purposes > rather than the intended purpose of creating a more secure, trusted web.” > > “We don’t currently have technical evidence of misuse (by DarkMatter) but the > reporting is strong evidence that misuse is likely to occur in the future if > it hasn’t already,” said Selena Deckelmann, a senior director of engineering > for Mozilla.” > I think what you've quoted are accurate statements. That is, recent articles raised questions that I, and others, felt were important to bring to this public forum to discuss. For that purpose, in the interest of a full public and transparent discussion of this trust decision, I appreciate DarkMatter engaging in this forum. Wayne recently posted about our reasons for maintaining our own CA root program [1] and quoted the Mozilla Manifesto which states that "Individuals' security and privacy on the internet are fundamental and must not be treated as optional." He also stated the benefits of our process, where "we give individuals a voice in these trust decisions." Thank you also to all the thoughtful contributors to this discussion, in particular this detailed analysis from Ryan Sleevi [2]. We make good on our commitments in the Manifesto when we bring these challenging discussions into the open. -selena [1] https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/rNWEMEkUAQAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
