A formal appeal has been filed with the Mozilla Foundation Board of Directors. In the spirit of transparency, we will be posting the contents of the Appeal to this forum in six (6) separate messages.
Benjamin Gabriel Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 benjamin.gabr...@darkmatter.ae The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy Sent: Tuesday, July 16, 2019 8:20 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DarkMatter Concerns Caution: This email originated from outside DarkMatter. Do not click links or open attachments unless you recognize the sender and believe the content is safe. ------------------------------------------------------------------------------ All, Thanks again to all of you who have been providing thoughtful and constructive input into this discussion. As I previously indicated [1], this has been a difficult decision to make. I have been carefully reading and contemplating the input that you all have been providing in this forum. I concur with Wayne’s recommendation [2] to add DarkMatter’s existing intermediate certificates to OneCRL (https://bugzilla.mozilla.org/show_bug.cgi?id=1564544), and decline DarkMatter’s root inclusion request (https://bugzilla.mozilla.org/show_bug.cgi?id=1427262). I will update those bugs to reflect my decision to distrust the intermediate certs and to decline the root inclusion request. I also concur with Wayne that DarkMatter (a.k.a DigitalTrust) is welcome to be a “managed” subordinate CA under the oversight of an existing trusted CA that retains control of domain validation and the private keys. Below are some additional comments I would like to share. I was intrigued by Matthew’s FICO score analogy [3] demonstrating that bias should be removed from the decision making process. I agree with Gijs’ suggestion [4] that a more applicable analogy is being a guarantor on a large loan. As Gijs’ said: you should never “be a guarantor for anybody unless you're very, very sure of that person, because you have effectively no recourse if the debtor leaves you holding the bag.” If I had thought of myself (or Mozilla) as a guarantor of the CNNIC CA, then all of the concerns that people had raised about CNNIC during their root inclusion request would have enabled me to say that I was not confident that CNNIC would continue to fulfill their commitments as a CA in Mozilla’s program. That could have prevented the difficulties that arose when the CNNIC root was used to mis-issue TLS certificates that were subsequently used for MiTM. Some of you have pointed out that Mozilla needs to provide more oversight and scrutiny of subordinate CAs, and I fully agree with you. With over 3,000 subordinate CA certificates chaining to root certificates in Mozilla’s program, we need automation to extend checks and balances to all of them. I have been working towards this via the Common CA Database (CCADB) [5]. The good news is that most of the subordinate CAs in Mozilla’s program are “managed” subordinate CAs, which means that the root CA retains control of the private keys and domain validation. As Wayne mentioned, we are also working on improving our policy and process to provide better oversight of the other, “externally-operated”, subordinate CAs[6,7]. Thanks, Kathleen [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/LPCGngLxBwAJ [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/TseYqDzaDAAJ [3] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/HiAMJkBNDQAJ [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XXp1KIBoDQAJ [5] https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ [6] https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits [7] https://github.com/mozilla/pkipolicy/issues/169 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
