Message body (1 of 2) Mozilla CA Certificate Policy Module Owner
Dear Wayne, I am writing to provide an official response to the public discussion that you have initiated, on mozilla.dev.security.policy, in accordance with Article 7,1 of the Mozilla Root Store Policy, on the inclusion of DarkMatter certificates in the Mozilla Root Certificate Store. While we welcome the public discussion as a vital component in the maintenance of trust and transparency in Mozilla’s Root Store, we wish to bring to your attention, and to other esteemed CABForum members, DarkMatter’s reasonable apprehension of bias and conflict of interest in how the Mozilla organization has framed and conducted the discussion at hand. Notwithstanding the stated goal of transparency in the public discussion, recent public comments by Mozilla employees (including your opening statement in the discussion), indicate a hidden organizational animus that is fatal to the idea of “due process” and “fundamental fairness” being accorded to any CA applicant to the Mozilla Root Store. As you are fully aware, DarkMatter has spent considerable effort over the past three (3) years to establish its commercial CA and Trust related business. A key milestone has been the successful completion of two (2) Web Trust public audits verifying that DarkMatter’s CA business is operating in accordance with the standards stipulated within Mozilla Root Store Policy and the latest version of the CA/Browser Forum (“CABForum”) Requirements for the Issuance and Management of Publicly-Trusted Certificates. We have publicly disclosed our Certificate Policy and Certification Practice Statements showing how we comply with the above noted requirements. A key pillar of the Mozilla Manifesto is the “commitment to an internet that elevates critical thinking, reasoned argument, shared knowledge, and verifiable facts” and a rejection of the use of the power of the internet to “intentionally manipulate fact and reality”.[1] Notwithstanding the call for a public discussion, we note that other senior members of your organization have already pre-judged in public, DarkMatter’s ability to be “trusted” on the basis of less than reasoned arguments and verifiable facts. Marshal Erwin, director of trust and security for Mozilla, said the Reuters Jan. 30 report had raised concerns inside the company that DarkMatter might use Mozilla’s certification authority for “offensive cybersecurity purposes rather than the intended purpose of creating a more secure, trusted web.” “We don’t currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn’t already,” said Selena Deckelmann, a senior director of engineering for Mozilla.” Every CA, Root CA, National PKI operators, Governmental Regulatory bodies (in every country of the world) should be as alarmed as we are at the dystopian vision articulated by the Mozilla employees for those sovereign nations deemed not worthy of operating their own national certificates. The above comments indicate an approach that is contrary to the stated commitment of the Mozilla foundation to an “Internet that includes all the peoples of the earth – where a person demographic characteristics do not determine their online access, opportunities, or quality of experience”. It should be disturbing to the entire CABForum community that Mozilla is contemplating to exercise its discretionary power in a capricious manner – against a company headquartered in the United Arab Emirates – simply on the basis of non-existent “evidence” of a future unknown “misuse”. There simply cannot be “trust” in the discretionary power of a root store operator (whether it is Mozilla or Google), if its decision are based on something less than “verifiable facts”. In light of the above comments, we ask you, as the Mozilla CA Certificate Policy Module Owner, to further reconsider how you have framed the public discussion on DarkMatter’s inclusion request - with the following statement: “The rationale for distrust is that multiple sources [1][4][5] have provided credible evidence that spying activities, including the use of sophisticated targeted surveillance tools, are a key component of DarkMatter’s business, and such an organization cannot and should not be trusted by Mozilla. In the past Mozilla has taken action against CA’s found to have issued MitM certificates [6][7]. We are not aware of direct evidence of missued certificates in this case. However, the evidence does strongly suggest that misuse is likely to occur, if it has not already.” There is no doubt in our mind that Mozilla’s inclusion of the references to CA’s found to have issued “MitM Certificates” in the opening statement about the “rationale for distrust” of DarkMatter is extremely prejudicial in that it deliberately distorts the discussion and misinforms the public about DarkMatter’s inclusion request. Furthermore, it calls into question the unexpressed motives behind the concerted efforts by certain competitors to derail DarkMatter’s two-year process to have our Roots included in the Mozilla and Google root stores. For the record, we unequivocally state that DarkMatter has never been involved in the issuance of any “MitM Certificates”, and will never do so. [CONTINUED IN MESSAGE BODY 2] Benjamin Gabriel | General Counsel & SVP Legal Tel: +971 2 417 1417 | Mob: +971 55 260 7410 [email protected] The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
