I appreciate the ground work Fabio put into this thus far, and want to see further discussion on it.
I think the safest way to quantity and frame the discussion is asking if a CA (or subCA) has a vested interest in surveillance, other business interest, or government ties which would put a CA to be more likely to abuse the trust, or has a history of business practices related to surveillance or practices against the public interest in regards to WebPKI. I recognize the points Scott brought up, but trust is always a subjective thing. As previously pointed out, Mozilla has always retained the ability to choose what to include or disallow based on community input, and this entire thread shows there is a lot of community input here. The problem with auditing in general is its only going to catch information that is logged and archived in a corporation. It's an assurance step but in and of itself is not enough to establish trust; it not uncommon for misissues and other issues to be noted by the community from information in the wild Michael On 7/10/19 3:59 AM, fabio.pietrosanti--- via dev-security-policy wrote: > I understand the Nadim points, there's a lot of subjective biased "popular > judgement". > > While from a security standpoint perspective "better safe than sorry" is a > good statement, from a rights and fairness perspective that's a very bad. > > So further conversation is needed. > > Following DarkMatter removal i would love to bring to the attention of > Mozilla the removal of a list of Companies that does as a main business other > stuff, but also does offensive security and surveillance with public > "credible evidences" . > > I've analysed Intermediate CA list where DarkMatter is here > https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts . > > In this list is possible to find the following company operating against > "people's safety" and there's "credible evidences" they are doing so: > > > * Saudi Telecom Company > > This company is publicly known to ask to surveil and intercept people as per > "credible evidences" on: > https://moxie.org/blog/saudi-surveillance/ > https://citizenlab.ca/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ > > > * German Rohde & Schwarz > > This company do produce, install and support surveillance systems for > intelligence agencies in Regimes such as Turkmenistan: > https://www.rferl.org/a/german-tech-firm-s-turkmen-ties-trigger-surveillance-concerns/29759911.html > > They sell solutions to intelligence agencies such as IMSI Catchers and > massive internet surveillance tools: > https://www.rohde-schwarz.com/en/solutions/aerospace-defense-security/overview/aerospace-defense-overview_229832.html > > > * US "Computer Sciences Corporation" > > The CSC is a US Intelligence and Defense Contractors that does CNE (Computer > Network Exploitation) like the WikiLeaks ICWatch show out > > Read the profile of a former employee of CSC, doing CNE like Snowden was > doing: > https://icwatch.wikileaks.org/docs/rLynnette-Jackson932c7871cb1e83f3%3Fsp=0ComputerSciencesCorporationCyberSecurityAnalystSystemsEngineerRemoteSystemAdministrator2008-09-01icwatch_indeed > > Additionally from their wikipedia they acknowledge working for US Intel: > https://en.wikipedia.org/wiki/Computer_Sciences_Corporation > > CSC provided services to the United States Department of Defense,[23] law > enforcement and intelligence agencies (FBI,[24] CIA, Homeland Security[23]), > aeronautics and aerospace agencies (NASA). In 2012, U.S. federal contracts > accounted for 36% of CSC total revenue.[25] > > > * Australia's Attorney-General's Department > > The Australia's Attorney-General's Department is a government agencies that > wants to permit the Australian Security Intelligence Organisation (ASIO) to > hack IT systems belonging to non-involved, non-targeted parties. > > It operate against people safety and there's credible evidence of their > behaviour in supporting ASIO to hack people, so they are very likely to abuse > their intermediate CA: > http://www.h-online.com/security/news/item/Australian-secret-services-to-get-licence-to-hack-1784139.html > > > * US "National Geospatial-Intelligence Agency" https://www.nga.mil > > The NGA is a US Military Intelligence Agency, equivalent to NSA, but > operating on space GEOINT and SIGINT in serving intelligence and defense US > agencies. > > NGA is the Space partner of NSA: > https://www.nsa.gov/news-features/press-room/Article/1635467/joint-document-highlights-nga-and-nsa-collaboration/ > > I think that no-one would object to shutdown an NSA operated Intermediate CA, > i am wondering if Mozilla would consider this removal. > > > Said that, given the approach that has been following with DarkMatter about > "credible evidence" and "people safety" principles, i would strongly argue > that Mozilla should take action against the subject previously documented. > > I will open a thread on those newsgroup for each of those company to > understand what's the due process and how it will compare to this. > > Fabio Pietrosanti (naif) > > Il giorno martedì 9 luglio 2019 18:19:36 UTC+2, Nadim Kobeissi ha scritto: >> Dear Wayne, >> >> I fully respect Mozilla's mission and I fully believe that everyone here is >> acting in good faith. >> >> That said, I must, in my capacity as a private individual, decry what I >> perceive as a dangerous shortsightedness and lack of intellectual rigor >> underlying your decision. I do this as someone with a keen interest in >> Internet freedom issues and not as someone who is in any way partisan in >> this debate: I don't care for DarkMatter as a company in any way whatsoever >> and have no relationship with anyone there. >> >> I sense enough urgency in my concerns to pause my work schedule today and >> respond to this email. I will do my best to illustrate why I sense danger >> in your decision. Essentially there are three specific points I take issue >> with: >> >> ----------------- >> 1: Waving aside demands for objective criteria. >> ----------------- >> You say that "if we rigidly applied our existing criteria, we would deny >> most inclusion requests." Far from being an excuse to put more weight (or >> in this case, perhaps almost all weight) on subjective decision making, >> this should be a rallying cry for Mozilla to investigate why it is that an >> objective and democratic decision-making process is failing, and what can >> be done to make it work better. Waving aside objective procedures as >> "checklists" dismisses a core procedural element of how such critical >> decisions should be made in the future and is explicitly undemocratic and >> therefore dangerous. >> >> ----------------- >> 2: Calling allegations "credible" and "extensively sourced" with almost no >> basis whatsoever. >> ----------------- >> You cite four articles: two are from the Intercept, one is from Reuters and >> one is from the New York Times. You claim that the fact that they are years >> apart bolsters their credibility; why is this the case? In fact, these >> articles all parrot almost exactly the same story, with some minor >> additions, updates and modifications. They all almost read like the same >> article, despite their temporal distribution. Furthermore, the notion that >> the articles are "extensively sourced" is simply incorrect: all of the >> articles are based on anonymous sources and none of them provide a shred of >> evidence, which is why we are in this debate to begin with (or so I've been >> thinking). >> >> It should also be noted that both The Intercept and the New York Times have >> published misleading and incorrect information many times in their history. >> The Intercept in particular has a very spotty credibility record. >> >> It is also is not difficult to theorize how a politically trendy topic >> (cyberattacks) against the world's most easy-to-villainize company (an >> Arabic offensive cybersecurity company operating within a true monarchic >> state) would be appealing to American journalists. This sort of thing isn't >> new, and American "digital rights" groups have previously linked malicious >> cyberattacks to Middle Eastern countries without providing something that >> is even close to the same standard of evidence that they almost always >> provide when naming American or European actors. >> >> Is is indeed unfortunate that this issue was dealt with in a single >> paragraph: I would have expected it to be the brunt of the email given its >> importance, and it is impossible to qualify that reporting as "credible" >> and "extensively sourced" so summarily. >> >> ----------------- >> 3: Culminating in an argument that simply boils down to "the people's >> safety", a trope that is often overused and that leads to undemocratic >> behavior. >> ----------------- >> >> We don't know if DarkMatter is an evil spying empire that doesn't care >> about the rights and dignity of private citizens or not. We don't know if >> they're setting up shell companies to mislead Mozilla's CA vetting >> procedures or not. In fact, it's been months where no new information has >> arisen and I would like to repeat that I do not _at all_ discount the >> possibility that all of the allegations may turn out to be completely true. >> >> But instead of making effort towards resolving this uncertainty, or, in >> case that's not possible, create procedures to deal with it, we see it >> being wielded in order to increase the subjectivity of the decision making >> that gatekeeps some of the most fundamental issues of Internet security and >> to legitimize shoddy thinking. >> >> Individually, your apparent decision against DarkMatter doesn't bother me. >> It is the decision making process itself however that risks setting a >> dangerous precedent that is already taking shape in other parts of the tech >> community, where major decisions are predicated on gut feeling and notions >> of safety that are almost by design impossible to elucidate, and where >> much-needed objectivity, vetting and reasoned behavior is relegated to >> one-shot paragraphs that barely come with an apology. >> >> In conclusion: perhaps it is exactly because DarkMatter are so incredibly >> easy to demonize that we are so temporarily blind to an infinitely more >> dangerous and terrifying lapse of judgement: one that may come from much >> closer to home. I don't mind if DarkMatter loses out here, but I urge you >> to self-reflect critically on what this decision may constitute in terms of >> a future trend. >> >> Presented with the utmost respect and good faith, >> >> Yours sincerely, >> >> Nadim Kobeissi >> Symbolic Software • https://symbolic.software >> Sent from office >> >> >> On Tue, Jul 9, 2019 at 5:31 PM Wayne Thayer <wtha...@mozilla.com> wrote: >> >>> I would like to thank everyone for their constructive input on this >>> difficult issue. I would also like to thank DarkMatter representatives for >>> participating in the open, public discussion. I feel that the discussion >>> has now, after more than 4 months, run its course. >>> >>> The question that I originally presented [1] to this community was about >>> distrusting DarkMatter’s current intermediate CA certificates (6 total) >>> based on credible evidence of spying activities by the company. While a >>> decision to revoke trust in these intermediates would likely result in a >>> denial of DarkMatter’s root inclusion request [2], the public discussion >>> for that request has not yet begun. A decision not to revoke these >>> intermediates does not necessarily mean that the inclusion request will be >>> approved. >>> >>> Some of this discussion has revolved around compliance issues, the most >>> prominent one being the serial number entropy violations discovered by >>> Corey Bonnell. While these issues would certainly be a consideration when >>> evaluating a root inclusion request, they are not sufficient to have >>> triggered an investigation aimed at revoking trust in the DarkMatter >>> intermediates or QuoVadis roots. Therefore, they are not relevant to the >>> question at hand. >>> >>> Much of the discussion has been about the desire for inclusion and distrust >>> decisions to be made based on objective criteria that must be satisfied. >>> However, if we rigidly applied our existing criteria, we would deny most >>> inclusion requests. As I stated earlier in this thread, every distrust >>> decision has a substantial element of subjectivity. One can argue that >>> we’re discussing a different kind of subjectivity here, but it still >>> amounts to a decision being made based on a collective assessment of all >>> the information at hand rather than a checklist. >>> >>> Some, including DarkMatter representatives [3], have declared the need to >>> examine and consider the benefits of having DarkMatter as a trusted CA. >>> However, last year we changed our policy to replace the weighing of >>> benefits and risks with “based on the risks of such inclusion to typical >>> users of our products.” [4] >>> >>> Perhaps the most controversial element in this discussion has been the >>> consideration of “credible evidence”. The first component is the inherent >>> uncertainty over what is “credible”, especially in this day and age. While >>> it has been pointed out that respected news organizations are not beyond >>> reproach [5], having four independent articles [6][7][8][9] from reputable >>> sources published years apart does provide some indication that the >>> allegations are credible. These articles are also extensively sourced. >>> >>> If we assume for a second that these allegations are true, then there is >>> still a sincere debate over what role they should play in our decision to >>> trust DarkMatter as a CA. The argument for considering these allegations is >>> akin to the saying “where there’s smoke there’s fire”, while the argument >>> against can be described as “innocent until proven guilty”. >>> >>> DarkMatter has argued [3] that their CA business has always been operated >>> independently and as a separate legal entity from their security business. >>> Furthermore, DarkMatter states that once a rebranding effort is completed, >>> “the DarkMatter CA subsidiary will be completely and wholly separate from >>> the DarkMatter Group of companies in their entirety.” However, in the same >>> message, DarkMatter states that “Al Bannai is the sole beneficial >>> shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al >>> Bannai would remain the sole owner of the CA business. More recently, >>> DarkMatter announced that they are transitioning all aspects of the >>> business to DigitalTrust and confirmed that Al Bannai controls this entity. >>> This ownership structure does not assure me that these companies have the >>> ability to operate independently, regardless of their names and legal >>> structure. >>> >>> Mozilla’s principles should be at the heart of this decision. “The Mozilla >>> Manifesto [10] states: >>> >>> Individuals’ security and privacy on the internet are fundamental and must >>> not be treated as optional.” >>> >>> And our Root Store policy states: “We will determine which CA certificates >>> are included in Mozilla's root program based on the risks of such inclusion >>> to typical users of our products.” >>> >>> In other words, our foremost responsibility is to protect individuals who >>> rely on Mozilla products. I believe this framing strongly supports a >>> decision to revoke trust in DarkMatter’s intermediate certificates. While >>> there are solid arguments on both sides of this decision, it is reasonable >>> to conclude that continuing to place trust in DarkMatter is a significant >>> risk to our users. I will be opening a bug requesting the distrust of >>> DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also >>> recommend denial of the pending inclusion request, and any new requests >>> from DigitalTrust. >>> >>> In the past, we’ve seen CAs attempt to make an end run around adverse trust >>> decisions - through an acquisition, a shell company, etc. We will treat any >>> such attempt as a violation of this decision and act accordingly. Mozilla >>> does welcome DigitalTrust as a “managed” subordinate CA under the oversight >>> of an existing trusted CA that retains control of domain validation and the >>> private keys. >>> >>> This discussion has highlighted an opportunity to improve our review of new >>> externally-operated subordinate CAs [11]. This issue [12] is part of the >>> current policy update discussions. >>> >>> Wayne >>> >>> [1] >>> >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ >>> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427262 >>> [3] >>> >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/mJ0EV2eoCgAJ >>> [4] >>> >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/58F6FgeGOz8/Zzb-r76wBQAJ >>> [5] >>> >>> https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/11/27/bloomberg-is-still-reporting-on-challenged-story-regarding-china-hardware-hack/ >>> [6] >>> >>> https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/ >>> [7] https://www.reuters.com/investigates/special-report/usa-spying-raven/ >>> [8] >>> >>> https://www.nytimes.com/2019/03/21/us/politics/government-hackers-nso-darkmatter.html >>> [9] https://theintercept.com/2019/06/12/darkmatter-uae-hack-intercept/ >>> [10] https://www.mozilla.org/en-US/about/manifesto/ >>> [11] >>> >>> https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits >>> [12] https://github.com/mozilla/pkipolicy/issues/169 >>> > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
