I would like to thank everyone for their constructive input on this difficult issue. I would also like to thank DarkMatter representatives for participating in the open, public discussion. I feel that the discussion has now, after more than 4 months, run its course.
The question that I originally presented [1] to this community was about distrusting DarkMatter’s current intermediate CA certificates (6 total) based on credible evidence of spying activities by the company. While a decision to revoke trust in these intermediates would likely result in a denial of DarkMatter’s root inclusion request [2], the public discussion for that request has not yet begun. A decision not to revoke these intermediates does not necessarily mean that the inclusion request will be approved. Some of this discussion has revolved around compliance issues, the most prominent one being the serial number entropy violations discovered by Corey Bonnell. While these issues would certainly be a consideration when evaluating a root inclusion request, they are not sufficient to have triggered an investigation aimed at revoking trust in the DarkMatter intermediates or QuoVadis roots. Therefore, they are not relevant to the question at hand. Much of the discussion has been about the desire for inclusion and distrust decisions to be made based on objective criteria that must be satisfied. However, if we rigidly applied our existing criteria, we would deny most inclusion requests. As I stated earlier in this thread, every distrust decision has a substantial element of subjectivity. One can argue that we’re discussing a different kind of subjectivity here, but it still amounts to a decision being made based on a collective assessment of all the information at hand rather than a checklist. Some, including DarkMatter representatives [3], have declared the need to examine and consider the benefits of having DarkMatter as a trusted CA. However, last year we changed our policy to replace the weighing of benefits and risks with “based on the risks of such inclusion to typical users of our products.” [4] Perhaps the most controversial element in this discussion has been the consideration of “credible evidence”. The first component is the inherent uncertainty over what is “credible”, especially in this day and age. While it has been pointed out that respected news organizations are not beyond reproach [5], having four independent articles [6][7][8][9] from reputable sources published years apart does provide some indication that the allegations are credible. These articles are also extensively sourced. If we assume for a second that these allegations are true, then there is still a sincere debate over what role they should play in our decision to trust DarkMatter as a CA. The argument for considering these allegations is akin to the saying “where there’s smoke there’s fire”, while the argument against can be described as “innocent until proven guilty”. DarkMatter has argued [3] that their CA business has always been operated independently and as a separate legal entity from their security business. Furthermore, DarkMatter states that once a rebranding effort is completed, “the DarkMatter CA subsidiary will be completely and wholly separate from the DarkMatter Group of companies in their entirety.” However, in the same message, DarkMatter states that “Al Bannai is the sole beneficial shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al Bannai would remain the sole owner of the CA business. More recently, DarkMatter announced that they are transitioning all aspects of the business to DigitalTrust and confirmed that Al Bannai controls this entity. This ownership structure does not assure me that these companies have the ability to operate independently, regardless of their names and legal structure. Mozilla’s principles should be at the heart of this decision. “The Mozilla Manifesto [10] states: Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.” And our Root Store policy states: “We will determine which CA certificates are included in Mozilla's root program based on the risks of such inclusion to typical users of our products.” In other words, our foremost responsibility is to protect individuals who rely on Mozilla products. I believe this framing strongly supports a decision to revoke trust in DarkMatter’s intermediate certificates. While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users. I will be opening a bug requesting the distrust of DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust. In the past, we’ve seen CAs attempt to make an end run around adverse trust decisions - through an acquisition, a shell company, etc. We will treat any such attempt as a violation of this decision and act accordingly. Mozilla does welcome DigitalTrust as a “managed” subordinate CA under the oversight of an existing trusted CA that retains control of domain validation and the private keys. This discussion has highlighted an opportunity to improve our review of new externally-operated subordinate CAs [11]. This issue [12] is part of the current policy update discussions. Wayne [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/mJ0EV2eoCgAJ [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/58F6FgeGOz8/Zzb-r76wBQAJ [5] https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ [6] https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ [7] https://www.reuters.com/investigates/special-report/usa-spying-raven/ [8] https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html [9] https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/ [10] https://www.mozilla.org/en-US/about/manifesto/ [11] https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits [12] https://github.com/mozilla/pkipolicy/issues/169 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy