On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson <kwil...@mozilla.com> wrote:
> All, > > As per Mozilla's root inclusion process I need to make a decision about > approving or denying this root inclusion request from the Beijing CA. > > In my opinion, the Beijing CA has successfully completed our root > inclusion process and demonstrated compliance with all of our rules and > policies. Therefore, my inclination is to approve this request. > > There has been one item holding up my approval, which is the concerns > raised by contributors to this forum that the One Pass software might be > malware. I have been unable to find evidence to convince myself that the > One Pass software is malware, so I would like to ask those of you who have > raised such concerns... > > Is there something specifically that you have observed that One Pass does > that disrupts or damages the user's system or gains unauthorized access? > I don't think anyone here has been directly affected, however, there are numerous reports and an entire report: https://go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf When we asked BJCA about this they replied "The software mentioned in the security incident report is a digital certificate application security suite developed by BJCA. The normal operation of this software depends on some technical implementation, which lead to misjudged as abnormal behavior, actually it is not a spyware." I guess it depends on who you chose to believe, BJCA has stated that yes they have this software, but it's not spyware, or the reports that it does in fact exhibit spyware characteristics. > > If I continue to be unable to obtain reasonable suspicion > <https://www.merriam-webster.com/legal/reasonable%20suspicion> that One > Pass is malware, then I will proceed with approving this CA's root > inclusion request this week. > Why can't they simply provide us with a copy of the software? Surely if it is legitimate and above board, this shouldn't be a problem? The previous reports include file hashes so getting the same version should be easy. > > Thanks, > Kathleen > > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a703dcde-67e5-4fc0-b036-1be8fa01038dn%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- Kurt Seifried (He/Him) k...@seifried.org -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-ZGOwRU%3DyQ1r4WRDWGwEZjdnLV4OVN8H_98QDZnRUMyg%40mail.gmail.com.
