#29628: Distrust DarkMatter Intermediate CAs --------------------------------------+-------------------------- Reporter: nsuchy | Owner: tbb-team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Major | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by nsuchy): Replying to [comment:2 sysrqb]: > You may find the entire thread discussing this topic enlightening. I am personally in support of Mozilla denying the root inclusion request and revoking their intermediate CA certificate. However, as it was said numerous times in the discussion thread, the only reason we know DarkMatter have these CA certificates is because they applied for root inclusion - in a public forum. It is very easy for a malicious organization to obtain an intermediate CA certificate without that certificate being attributable to them. As far as anyone knows (publicly), DarkMatter haven't used their current Intermediate CA with malicious intent, yet(!). If DarkMatter use their CA for malicious purpose in the future and that malicious activity is detected, then their intermediate CA certificate should be revoked by DigiCert (and therefore they lose their trusted position globally). The current question is whether Mozilla should pre-emptively revoke DarkMatter's Intermediate certificate and reject their current root. > > The Tor Project isn't in a position where we can successfully audit all anchor and intermediate CAs included in Mozilla's root store. And, even if we could, we likely wouldn't be able to maintain that long-term. We can distrust DarkMatter's current intermediate, but given the previous statement about how Intermediate CAs certificates can be obtained relatively easily under alternative-names, I don't know if this is a winning solution. In reality, distrusting one intermediate CA is likely pointless, other than making a political statement. > > I'll leave this open, in case anyone else on the team has more input here. > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ I agree that it's impossible for a small organization to monitor all intermediate cas, instead wait for someone to make a report in trac, review it's legitimacy, and distrust where appropriate. Even root cas like LetsEncrypt could in theory issue abusive certificates. In this case, evidence points towards the CA being likely to misbehave and it'd be a reasonable precaution given the evidence for the Tor Project to take action. Also the Google Groups thread was interesting, thank you for sharing. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29628#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs