On Tuesday, March 5, 2019 at 7:18:39 PM UTC+1, Ryan Sleevi wrote: > On Tue, Mar 5, 2019 at 12:11 PM Matthew Hardeman via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > By comparison, the discussion around DarkMatter has been more similar to > the discussion of Symantec rather than Sectigo, except DarkMatter has > issued carefully worded statements that may, to some, appear to be denials, > while to others, suggest rather large interpretative loopholes. This, > combined with the interpretative issues that have been shown throughout the > inclusion process - for which the serial numbers are merely the most recent > incident, but by no means the first, raises concerns that there may be > interpretative differences in the nature of the statements provided or the > proposed guarantees. This seems like a reasonable basis of concern. Recall > when TrustWave provided a similar creative interpretation regarding a MITM > certificate it issued for purposes of "local" traffic inspection [2][3], > attempting to claim it was not a BR violation. Or recall that Symantec made > similar claims that the 30,000+ certificates that it could not demonstrate > adhered to the BRs were somehow, nevertheless, not "misissued" [4] - as if > the point of concern was the semantic statement of misissuance, rather than > the systemic failure of the controls and the resulting lack of assurance. > > In this regard, there is at least precedent that such interpretative > differences do not bode well.
Perhaps it would be helpful for Mozilla to posit a set of unambiguous statements for which it would require DarkMatter to categorically and fully deny. The goal of doing so would be to quell any potential "interpretative loopholes" within DarkMatter's denials. That could be a way for moving parts of this discussion solidly forward. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy