Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DarkMatter CAs in Google Chrome and Android
826 views
Skip to first unread message
Devon O'Brien
Jul 23, 2019, 3:03:58 PM7/23/19
to mozilla-dev-s...@lists.mozilla.org
(Writing on behalf of Google Chrome and Android)
On behalf of Google Chrome and Android, we would like to thank the participants that have contributed to the discussion on the broader M.D.S.P thread on this topic. We will be taking similar steps to those proposed by Wayne and approved by Kathleen, in that we will be removing trust in the DarkMatter-operated intermediates across Google Chrome and Android and we will not be including DarkMatter’s proposed new root certificates. We anticipate these changes will be delivered via our existing in-band delivery mechanisms to clients and require no user action.
On behalf of Google Chrome and Android, we would like to thank the participants that have contributed to the discussion on the broader M.D.S.P thread on this topic. We will be taking similar steps to those proposed by Wayne and approved by Kathleen, in that we will be removing trust in the DarkMatter-operated intermediates across Google Chrome and Android and we will not be including DarkMatter’s proposed new root certificates. We anticipate these changes will be delivered via our existing in-band delivery mechanisms to clients and require no user action.
Scott Rea
Jul 24, 2019, 10:32:58 AM7/24/19
to Devon O'Brien, mozilla-dev-s...@lists.mozilla.org
G’day Devon et al,
Can you please detail the reason behind Google withdrawing trust for the UAE NPKI intermediates?
Can you also please provide the timeline for the in-band delivery of the restriction by Google? As you can imagine this will have catastrophic impact for existing customers and we would like to provide them a reasonable plan to manage the transition.
As you are aware, DarkMatter and DigitalTrust have appealed the decision by Mozilla on the basis of multiple elements which have also be published to the list. Has the appeal or any of the points at the heart of that appeal been taken into account in this decision by Google?
Regards,
-Scott
On 7/23/19, 11:02 PM, "dev-security-policy on behalf of Devon O'Brien via dev-security-policy" <dev-security-...@lists.mozilla.org on behalf of dev-secur...@lists.mozilla.org> wrote:
(Writing on behalf of Google Chrome and Android)
On behalf of Google Chrome and Android, we would like to thank the participants that have contributed to the discussion on the broader M.D.S.P thread on this topic. We will be taking similar steps to those proposed by Wayne and approved by Kathleen, in that we will be removing trust in the DarkMatter-operated intermediates across Google Chrome and Android and we will not be including DarkMatter’s proposed new root certificates. We anticipate these changes will be delivered via our existing in-band delivery mechanisms to clients and require no user action.
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
Scot...@darkmatter.ae
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Can you please detail the reason behind Google withdrawing trust for the UAE NPKI intermediates?
Can you also please provide the timeline for the in-band delivery of the restriction by Google? As you can imagine this will have catastrophic impact for existing customers and we would like to provide them a reasonable plan to manage the transition.
As you are aware, DarkMatter and DigitalTrust have appealed the decision by Mozilla on the basis of multiple elements which have also be published to the list. Has the appeal or any of the points at the heart of that appeal been taken into account in this decision by Google?
Regards,
-Scott
On 7/23/19, 11:02 PM, "dev-security-policy on behalf of Devon O'Brien via dev-security-policy" <dev-security-...@lists.mozilla.org on behalf of dev-secur...@lists.mozilla.org> wrote:
(Writing on behalf of Google Chrome and Android)
On behalf of Google Chrome and Android, we would like to thank the participants that have contributed to the discussion on the broader M.D.S.P thread on this topic. We will be taking similar steps to those proposed by Wayne and approved by Kathleen, in that we will be removing trust in the DarkMatter-operated intermediates across Google Chrome and Android and we will not be including DarkMatter’s proposed new root certificates. We anticipate these changes will be delivered via our existing in-band delivery mechanisms to clients and require no user action.
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
Scot...@darkmatter.ae
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Scott Rea
Jul 25, 2019, 3:53:04 AM7/25/19
to Devon O'Brien, mozilla-dev-s...@lists.mozilla.org
G’day Devon et al,
It would appear that Chrome has implemented distrust of the UAE NPKI intermediates immediately - can you please explain the rationalization for this decision?
These intermediates have been operating without issue for a few years now, what was the rationale for immediate distrust without giving DigitalTrust the opportunity to contact customers about the need to update site certificates? This is extremely distruptive and has left all public trust customers inoperable unless their customers swap to a browser other than Chrome.
Can you please outline the justification behind this?
Regards,
-Scott
Sent from my iPhone
Scott Rea | Senior Vice President - Trust Services
Tel: +971 2 417 1417 | Mob: +971 52 847 5093
Scot...@darkmatter.ae
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
>
> Caution: This email originated from outside DarkMatter. Do not click links or open attachments unless you recognize the sender and believe the content is safe.
>
> ------------------------------------------------------------------------------
Nick Lamb
Jul 25, 2019, 5:33:45 AM7/25/19
to dev-secur...@lists.mozilla.org, Scott Rea
On Wed, 24 Jul 2019 14:32:41 +0000 Scott Rea via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> As you are aware, DarkMatter and DigitalTrust have appealed the
> decision by Mozilla on the basis of multiple elements which have also
> be published to the list. Has the appeal or any of the points at the
> heart of that appeal been taken into account in this decision by
> Google?
Surely the answer is "Yes" ? I mean, it makes strategic sense to react
<dev-secur...@lists.mozilla.org> wrote:
> As you are aware, DarkMatter and DigitalTrust have appealed the
> decision by Mozilla on the basis of multiple elements which have also
> be published to the list. Has the appeal or any of the points at the
> heart of that appeal been taken into account in this decision by
> Google?
to a CA which tries to appeal a trust store decision over the heads of
the people making it in exactly this way - by distrusting it.
I think it's what I would advise an independent trust store to do in
this situation.
Nick.
Matthew Hardeman
Jul 25, 2019, 2:17:05 PM7/25/19
to Nick Lamb, MDSP, Scott Rea
On Thu, Jul 25, 2019 at 4:33 AM Nick Lamb via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Surely the answer is "Yes" ? I mean, it makes strategic sense to react
> to a CA which tries to appeal a trust store decision over the heads of
> the people making it in exactly this way - by distrusting it.
>
> I think it's what I would advise an independent trust store to do in
> this situation.
>
Perhaps I misunderstand, but this would seem to suggest that there be
dev-secur...@lists.mozilla.org> wrote:
> Surely the answer is "Yes" ? I mean, it makes strategic sense to react
> to a CA which tries to appeal a trust store decision over the heads of
> the people making it in exactly this way - by distrusting it.
>
> I think it's what I would advise an independent trust store to do in
> this situation.
>
direct penalties for mere pursuit of due process.
okaphone.e...@gmail.com
Jul 25, 2019, 2:43:35 PM7/25/19
to mozilla-dev-s...@lists.mozilla.org
I did not consider it useful to say it, so I didn't. But I was certainly thinking that "try... over the heads of people who make the decision" bit, when the "appeal" got posted. ;-)
Is there such a thing as a right to be trusted? Interesting question... I would say there isn't, trust cannot be demanded because it's based on other things than rules and laws.
CU Hans
Is there such a thing as a right to be trusted? Interesting question... I would say there isn't, trust cannot be demanded because it's based on other things than rules and laws.
CU Hans
Nick Lamb
Jul 25, 2019, 5:16:02 PM7/25/19
to dev-secur...@lists.mozilla.org, Matthew Hardeman
On Thu, 25 Jul 2019 13:16:44 -0500
Matthew Hardeman via dev-security-policy
(though they are not always very consistent in delivering), it has no
relevance to relationships between anybody else, including Mozilla,
Google, Dark Matter, myself or you.
And participation in Mozilla's root programme is, as the name implies,
solely in Mozilla's gift, presumably likewise Google. Not getting to
participate is not a "penalty".
Nick.
Matthew Hardeman via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> Perhaps I misunderstand, but this would seem to suggest that there be
> direct penalties for mere pursuit of due process.
Mmm? Due process is something a minority of sovereign entities promise
> Perhaps I misunderstand, but this would seem to suggest that there be
> direct penalties for mere pursuit of due process.
(though they are not always very consistent in delivering), it has no
relevance to relationships between anybody else, including Mozilla,
Google, Dark Matter, myself or you.
And participation in Mozilla's root programme is, as the name implies,
solely in Mozilla's gift, presumably likewise Google. Not getting to
participate is not a "penalty".
Nick.
0 new messages