On Mon, Jan 3, 2022 at 11:38 AM 'md' via [email protected] < [email protected]> wrote:
> 1.1.1 *instance* means a data object that Telia's affiliates - SK ID > Solutions (formerly *AS Sertifitseerimeskeskus*) together with its RA - > Omnitel (legal name - *AB Telia Lietuva*) have been issuing to the public > as "qualified certificate" (QS). > As with Pekka, I have to question the relevance of this statement to the discussion. It would appear you’re saying that Telia should be held accountable for SK IDs behavior, and the reasoning for that is simply the statement that they are “Telia’s affiliates”. Can you share facts and details to support this claim? Otherwise, it presently reads no differently than if someone said I should be personally responsible for, say, WoSign, because I talked to their CEO once. That’s not to suggest there may not be something here, but you haven’t actually established this with any supporting details yet. 1.1.2 *something* means "Qualified certificate" - a complex data structure > that was initially defined in directive 1999/93/EC. For clarity, the QS in > 1.1.1 (which is incompatible with the directive) is called surrogate QS. > I am unable to locate any references to this term. Is this a term you just made up here? > 1.1.3 Worth mentioning also evaluation of legality of surrogate QS by: > > a) the Data Protection Authority (legal name Valstybinė duomenų apsaugos > inspekcija - VDAI) ordered Omnitel to stop issuing surrogate QSs. This > order is still ignored (how and why can be discussed separately); > > b) the Supreme administrative court which ruled that surrogate QS violates > the Data protection law (an implementation of directive 95/46/EC, now > regulation 2016/679 - GDPR). This is also ignored (how and why can be > discussed separately). > See case translation here: > https://journals.sas.ac.uk/deeslr/article/download/2142/2072/ > It may be worth disclosing that it would appear you were listed as well in this case, and thus may not be neutral. That doesn’t necessarily undermine the facts, but does affect how we should perceive the conclusions here, as it appears it was a case against your competitor. However, while I greatly appreciate the fascinating case here, it also doesn’t obviously link to Omnitel, and certainly not to Telia. If you believe there is a link, I hope you can show a bit more of those details. Noting here, further, that the case was with respect to the inclusion of certain ID attributes, in which the (equivalent of) the SB said was permitted, your CA believed were not, the other CA believed were - and the latter CA became more popular. I mention it because it seems at issue here was the guidance of the state authority, rather than the CA itself. <https://journals.sas.ac.uk/deeslr/article/download/2142/2072/> > 1.1.6 the fact that SK ID Solutions together with its unaudited RA - *AB > Telia Lietuva*: > Can you establish this link mode, specifically: 1) between AB Telia Lietuva and the CA presently applying 2) Establishing how this CA was unaudited 1.2.2 eIDAS has at least three directly applicable mechanisms to prevent > issuing surrogate QCs, but none of them worked as expected (*disorder*): > > a) TSP audit by CAB - surrogate QCs were accepted; > > b) TSP "qualified service" assessment by the Supervisory body - surrogate > QCs were accepted; > > c) Trust list management by the Scheme operator under the Commission > implementing decision 2015/1505 - surrogate QCs were accepted. > With respect, a wide degree of latitude is afforded to SBs with respect to scheme evaluation and notification, and similarly to the supervision of CABs. This is one of the long-standing critiques as to the applicability of eIDAS to browser trust programs (and equally, that those schemes proposed to be unified into - such as ETSI - are equally misaligned). However, it would seem that you’re saying that despite the SB recognizing the CABs assessment and notifying the trust list, that the CA should bear responsibility here, particularly for doing something the government said is OK? I certainly don’t want to say that government authority exempts a CA from understanding the rules, or this would create a clear risk of compelled misissuance, but I think that such a statement is also missing a lot of substance and detail here. Are we still discussing the context of the citizen number being included in certificates, or do you believe there are further aspects at play here? 2. RE "*This sounds like you're specifically referring to actions taken by > Telia Company AB*" > > Correct. Telia Company AB is the driving force of an ”organized group”, > I’m not sure that we’ve established the connection yet. where > > a) The Swedish government creates "favorable conditions" in the countries > of Telia Company AB's business operation (at least easy access to local > governments is guaranteed); > This is a statement without support, but also seems to be a complaint about the Swedish government? b) The Telia Company AB management partners with local governments so that > the doors of relevant institutions (agencies) are open to its local > affiliate (remember "What's good for General Motors is good for the > country"?) > > https://m.facebook.com/story.php?story_fbid=10156465065383408&id=96251623407&m_entstream_source=video_home&player_suborigin=entry_point&player_format=permalink > Are you implying that Telia participated in corruption? It’s unclear if this is a complaint simply that they’re well-connected, or if this is implying nefarious action because of it. c) The Telia Company AB affiliate develops "special relationship" with the > institutions so that at least supervision of its business is completely > "switched off", this includes lobbying any desired legislation (surrogate > QC is "locally legitimazed" despite of competing with other national laws > and EU directives and regulations. > Is this still about the citizen number? Are there other aspects here? I must apologize for this schematic/simplified response covering 20+ years > of Telia Company AB's business practices in Baltics. > > If you google "Telia + corruption", almost all information will be about > Telia Company AB's (formerly TeliaSonera AB) "achievements" in teleco > markets, this is partly because of: > I’m not sure I see the same results? That is, there’s the discussion of the Uzbekistan corruption case, which I believe you’ve raised previously on the list (certainly, there has been some past discussion), in which TeliaSonera was accused of bribing Uzbeki authorities. That case was settled (with respect to US charges), although the charges against Telia’s CEO were dismissed on a technicality (unable to show the specific beneficiaries of the bribes were directly responsible for decision making). However, are the others you believe are relevant to this current inclusion request? Please let me know if you need more info or have any questions - the > information above is backed by publicly acessible evidence material from > official sources. > I think it’s clear you feel very strongly about this, and would appear to be requesting this request be denied. What is unclear to me is what are the relevant facts you believe would justify that. As it stands, the only concrete detail that seems to be provided here is a case against a different CA; if this is linked to Telia, it’s not obvious. On the vaguer side, we see references to Telia’s corruption scandals, and an implication of inherent corruption simply because they lobby. I’m not trying to suggest such concerns aren’t relevant; as we saw with DarkMatter, the behaviors and practices of an organization can very much have bearing on the decision to include or not include a CA. It’s just that, right now, it does not feel like there is a similarly coherent narrative about the risks, and how those past actions predict further new issues that pose such risks. Unlike, say, multiple independently sourced and researched allegations of adversarial hacking, the substance here seems to be one of bribery or influence operations, and I hope you can further elaborate why members here should be particularly concerned. For example, with your remarks about surrogate QSes, CABs, and SBs, it’s unclear if you’re trying to suggest that the audits should not be relied upon. However, as Telia noted, they also provide WebTrust-based audits; are you suggesting that corruption or influence extends there as well? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFjcOyAsmW%3DC7_mmtS125sazYsiMMo4%2B%3DExb2ceagVC1Q%40mail.gmail.com.
