On 05/03/2019 16:11, Benjamin Gabriel wrote:
Message Body (2 of 2)
[... continued ..]
Dear Wayne
> ...
Yours sincerely,
Benjamin Gabriel
General Counsel
DarkMatter Group
As an outside member of this community (not employed by Mozilla or any
public CA), I would like to state the following (which is not official
by my company affiliation and cannot possibly be official on behalf of
Mozilla):
1. First of all, thank you for finally directly posting Darkmatter's
response to the public allegations. Many people seemingly
inexperienced in security and policy have posted rumors and opinions
to the discussion, while others have mentioned that Darkmatter had
made some kind of response outside this public discussion thread.
2. It is the nature of every government CA or government sponsored CA
in the world that the current structure of the Mozilla program can
be easily abused in the manner speculated, and that any such abuse
would not be admitted, but rather hidden with the full skill and
efficiency of whatever spy agency orders such abuse. One of the
most notorious such cases occurred when a private company running a
CA for the Dutch Government had a massive security failure, allowing
someone to obtain MitM certificates for use against certain Iranian
people.
I have previously proposed a technical countermeasure to limit this
risk, but it didn't seem popular.
3. The chosen name of your CA "Dark matter" unfortunately is
associated in most English language contexts with either an obscure
astronomical phenomenon or as a general term for any sinister and
evil topic. This unfortunate choice of name may have helped spread
and enhance the public rumor that you are an organization similar
to the US NSA or its contractors. After all, "Dark matter is evil"
is a headline more likely to sell newspapers than "UAE company with a
very boring name helped UAE government attack someone". However I
understand that as a long established company, it is probably too late
to change your name.
4. The United States itself has been operating a government CA (The
federal bridge CA) for a long time, and Mozilla doesn't trust it.
In fact when it was discovered that Symantec had used one of their
Mozilla trusted CAs to sign the US federal bridge CA, this was one
of the many problems that lead to Mozilla distrusting Symantec,
even though they were the oldest and biggest CA in the root
program.
5. While Darkmatter LLC itself may have been unaware of the discussions
that lead to the wording of the 64 bit serial entropy requirements,
it remains open how QuoVadis was not aware of that discussion and
did not independently discover that you were issuing with only 63
bits under their authority.
6. Fairly recently, a private Chinese CA (WoSign) posted many partially
untrue statements in their defense. The fact that their posts were
not 100% true, and sometimes very untrue, has lead to a situation
where some on this list routinely compare any misstatements by a
criticized CA to the consistent dishonesty that lead to the permanent
distrust of WoSign and it's subsidiary StartCom. This means that you
should be extra careful not to misstate details like the ones caught
by Jonathan Rudenberg in hist response at 16:12 UTC today.
7. Your very public statement ended with a standard text claiming that
the message should be treated as confidential. This is a common
cause of ridicule and the reason that my own postings in this forum
use a completely different such text than my private e-mail
communication. As a lawyer you should be able to draft such a text
much better than my own feeble attempt.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
