info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Top Level Module Committee Response to Dark Matter Root Inclusion Request Appeal
582 views
Skip to first unread message
Eric Rescorla
Feb 24, 2020, 2:01:44 PM2/24/20
to dev-secur...@lists.mozilla.org
All,
Please find below the TLMC's resolution of Dark Matter's appeal.
-Ekr [for the TLMC]
Introduction
On December 28, 2017, Scott Rae on behalf of Dark Matter filed a bug [
https://bugzilla.mozilla.org/show_bug.cgi?id=1427262] asking for inclusion
in the Mozilla Root store for four new trust anchors:
-
DarkMatter Root CA G3
-
DarkMatter Root CA G4
-
UAE Global Root CA G3
-
UAE Global Root CA G4
A lengthy discussion of the inclusion request ensued on the
mozilla.dev.security.policy list [
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ],
centering on allegations that Dark Matter and/or affiliated companies had
engaged in offensive cyber operations and therefore might pose a risk to
the integrity of the WebPKI. At the conclusion of the discussion, on July
9, 2019, Mozilla CA Certificate Policy Module Owner Wayne Thayer
recommended (1) that the Dark Matter trust anchors not be included and (2)
that the existing intermediate certificate authorities owned by Dark Matter
be revoked. Module Peer Kathleen Wilson concurred. Dark Matter and it’s
affiliate company Digital Trust LLC ) appealed [
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/5P6myAgRDwAJ]
to the Mozilla Board of Directors. However, as appeals in the module system
are handled by the Mozilla TLMC [
https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership], the TLMC is
responding to this appeal.
Review Criteria
The charter of the TLMC [
https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership] states:
The Firefox Technical Leadership module (FTLM) is responsible for
engineering coordination and escalation among the modules that make up
Firefox, including ownership of the top-level module
<https://wiki.mozilla.org/Modules/All#mozilla-toplevel>. The FTLM generally
tries to avoid day-to-day involvement in operation of lower-level modules,
but gets involved with decisions that are explicitly cross-module and with
issues that cannot be resolved at lower levels, such as:
-
Resolution of decisions that do not fall clearly into any specific
module or set of modules
-
Escalation of disputes beyond the module owner level
We believe that this language (“tries to avoid day to day involvement”), as
well as long Mozilla tradition, implies that the TLMC should apply a large
degree of deference to the decisions made by the individual modules,
overriding those decisions only in cases where the TLMC believes it is
necessary, for example, because the decision was clearly wrong or the
process which lead to that decision was substantially flawed. In this case
in particular, there is an extensive question of fact which the Module
Owner was required to assess and, in general, the TLMC should not be second
guessing the Module Owner on such questions.
CA Decision-Making Standard
The Mozilla CA Policy clearly sets forth the standard which the Module
owner is to apply for root inclusion:
We will determine which CA certificates are included in Mozilla's root
program based on the risks of such inclusion to typical users of our
products. We will consider adding additional CA certificates to the default
certificate set upon request only by an authorized representative of the
subject CA. We will make such decisions through a public process.
...
We reserve the right to not include certificates from a particular CA in
our root program. This includes (but is not limited to) cases where we
believe that a CA has caused undue risks to users’ security, e.g. by
knowingly issuing certificates without the knowledge of the entities whose
information is referenced in those certificates ('MITM certificates').
Mozilla is under no obligation to explain the reasoning behind any
inclusion decision. (S 7.1)
Similar language applies to the decision to remove or disable certificates:
Mozilla MAY, at its sole discretion, decide to disable (partially or fully)
or remove a certificate at any time and for any reason. This may happen
immediately or on a planned future date. Mozilla will disable or remove a
certificate if the CA demonstrates ongoing or egregious practices that do
not maintain the expected level of service or that do not comply with the
requirements of this policy. (S 7.3).
This language makes two things clear:
1.
These decisions are to be made based on an assessment of the risks of
inclusion to our users.
2.
The ultimate decisions are entirely discretionary.
For these reasons, we would generally expect to defer to the module owner’s
judgement unless we believed it was clearly wrong.
Basis for the Module Owner’s Decision
The Module Owner’s recommendation can be found here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c95
The core of the rationale is that there are credible allegations of spying
activity by Dark Matter:
The question that I originally presented [1] to this community was about
distrusting DarkMatter’s current intermediate CA certificates (6 total)
based on credible evidence of spying activities by the company.
The module owner concludes that the possibility that Dark Matter engaged in
spying activity poses an unacceptable risk to our users:
Mozilla’s principles should be at the heart of this decision. “The
Mozilla
Manifesto [10] states:
Individuals’ security and privacy on the internet are fundamental and must
not be treated as optional.”
And our Root Store policy states: “We will determine which CA certificates
are included in Mozilla's root program based on the risks of such inclusion
to typical users of our products.”
In other words, our foremost responsibility is to protect individuals who
rely on Mozilla products. I believe this framing strongly supports a
decision to revoke trust in DarkMatter’s intermediate certificates. While
there are solid arguments on both sides of this decision, it is reasonable
to conclude that continuing to place trust in DarkMatter is a significant
risk to our users. I will be opening a bug requesting the distrust of
DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also
recommend denial of the pending inclusion request, and any new requests
from DigitalTrust.
This rationale -- risk to our users -- is clearly at the heart of the
reasons described in S 7.1 and 7.3 of Mozilla’s Root Store Policy. This
leaves us with two questions (1) whether the module owner’s conclusion that
the allegations were credible was reasonable and (2) whether the module
owner’s conclusion that the allegations, if credible, posed a risk to our
users was reasonable. In both cases, our conclusion is “yes”.
Credibility of the Allegations
There have been extensively reported allegations that DarkMatter was
engaged in offensive cyber operations.
While cybersecurity companies traditionally aim to ensure that the code in
software and hardware is free of flaws — mistakes that malicious hackers
can take advantage of — DarkMatter, according to sources familiar with the
company’s activities, was trying to find and exploit these flaws in order
to install malware. DarkMatter could take over a nearby surveillance camera
or cellphone and basically do whatever it wanted with it — conduct
surveillance, interfere with or change any electronic messages it emitted,
or block the signals entirely. (Intercept, 2016) [
https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/
]
Stroud had been recruited by a Maryland cybersecurity contractor to help
the Emiratis launch hacking operations, and for three years, she thrived in
the job. But in 2016, the Emiratis moved Project Raven to a UAE
cybersecurity firm named DarkMatter. Before long, Stroud and other
Americans involved in the effort say they saw the mission cross a red line:
targeting fellow Americans for surveillance.
...
Mansoor was convicted in a secret trial in 2017 of damaging the country’s
unity and sentenced to 10 years in jail. He is now held in solitary
confinement, his health declining, a person familiar with the matter said.
Mansoor’s wife, Nadia, has lived in social isolation in Abu Dhabi.
Neighbors are avoiding her out of fear security forces are watching.
They are correct. By June 2017 Raven had tapped into her mobile device and
given her the code name Purple Egret, program documents reviewed by Reuters
show.
To do so, Raven utilized a powerful new hacking tool called Karma, which
allowed operatives to break into the iPhones of users around the world
(Reuters 2019) [
https://www.reuters.com/investigates/special-report/usa-spying-raven/]
DarkMatter states in its appeal that “The CEO of DarkMatter has also gone
on the record with various media refuting the baseless and defamatory
allegations”. This obviously creates a requirement to judge the relative
credibility of the claims of DarkMatter versus that of the various news
gathering organizations. In this context, it was not unreasonable for the
Module Owner to treat these allegations, asserted by reputable news
organizations, as credible and take them seriously.
Risk to Our Users
The question then becomes whether it is a potential risk to our users to
allow DarkMatter to operate a certificate authority. At the heart of the
question of whether an entity should be included in our root program is
whether Mozilla can trust them to operate responsibly on behalf of the
user. While it is not predetermined that an entity which has engaged in
offensive cyberoperations would deliberately misissue certificates, it does
not seem implausible either. The issue of corporate separation is raised as
a potential mitigating factor here, namely that the certificate issuing
operation is a different company from that which is allegedly performing
offensive operations. However, as the Module Owner notes, they share owners:
DarkMatter has argued [3] that their CA business has always been operated
independently and as a separate legal entity from their security business.
Furthermore, DarkMatter states that once a rebranding effort is completed,
“the DarkMatter CA subsidiary will be completely and wholly separate from
the DarkMatter Group of companies in their entirety.” However, in the same
message, DarkMatter states that “Al Bannai is the sole beneficial
shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al
Bannai would remain the sole owner of the CA business. More recently,
DarkMatter announced that they are transitioning all aspects of the
business to DigitalTrust and confirmed that Al Bannai controls this entity.
This ownership structure does not assure me that these companies have the
ability to operate independently, regardless of their names and legal
structure.
This is not an unreasonable concern. In sum, we conclude that it was not
unreasonable for the Module Owner to conclude that the allegations of
misconduct by Dark Matter were credible and that if they were true then
allowing DarkMatter into the root program posed an unacceptable risk to our
users.
Appeal Grounds
As discussed above, taken alone we consider the Module owner’s decision
reasonable. We now turn to the details of DigitalTrust’s appeal, which
focuses largely on process rather than on the merits of the Module Owner’s
decision.
DigitalTrust/Dark Matter’s appeal is in 6 parts. For reference, we link to
each part below along with its initial summary.
Part 1: Conflict of Interest:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Qdfd3wgRDwAJ
Part 2: Procedural Fairness/Bias:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XpW2-SwMDwAJ
Part 3: Abuse of Discretionary Power
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Olr1NgoRDwAJ
Part 4: Discriminatory Practices;
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YoUMUAoRDwAJ
Part 5: Erroneous Legal Conclusions:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/bMRuZwoRDwAJ
Part 6: Violation of Anti-Trust Laws:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VFc1fwoRDwAJ
We do not believe that the TLMC is an appropriate body to consider part 6,
and therefore we considered only parts 1-5.
Part 1: Conflict of Interest
The appeal reads, in part:
The Module Owner failed to recognize, or blatantly ignored, undisclosed
Conflict of Interests posed by certain participants (including Mozilla
Staff) who represent for-profit corporations with a significant (including,
but not limited, to global market dominance and monopolization power)
economic interest in the outcome of the Applicant’s Root Inclusion, and the
distorting impact of such Conflict of Interests on the Module Owner’s
discretionary decision.
a) The Mozilla Corporation is a wholly-owned for-profit subsidiary of the
Mozilla Foundation. The for-profit Mozilla Corporation provides internet
based browser software and other related services. Access to the entire
global internet traffic is controlled by four (4) Browser Root Stores
(Mozilla Corporation, Google, Microsoft and Apple). Two of these
commercial Browser Root Stores are the most significant search engine
providers on the internet, and therefore have a substantial economic
interest in the global Certificate Authority business (including in the
United Arab Emirates). Approximately 93% to 94% of Mozilla Corporation’s
revenues are derived from such search engine providers. [3]
b) The Module Owner is employed by the for-profit Mozilla Corporation as a
Certificate Authority Program manager. Key Mozilla staff who are involved
in framing the negative media feedback about the Root Inclusion are also
employed by the for-profit Mozilla Corporation. [4] Key CA/Policy
participants in the Mozilla CA Module are also employed by other commercial
Certificate Authorities/or Browser Stores which have a significant economic
stake in the Root Inclusion decision [5].
c) In light of the above, the Module Owner had a responsibility to ensure
that any Conflict of Interests by any participants in the Root Inclusion
discussions are clarified for the record so that undisclosed interests
(including economic market domination and monopolization of the global
Certificate Authority business ecosystem) which may distort the Module
Owner’s decision making process are publicly disclosed for interested
media, the general public, and global trade/competition regulators.
There are two claims here, first that the the participants in the
discussion have a conflict of interest and second that the Module Owner has
a conflict of interest. The first claim misunderstands the structure of the
process, which is one of open input but not consensus decision making. In
this process, the Module Owner takes in input and uses it in whatever form
they deem necessary to make their recommendation/decision. Thus, it is not
necessary that participants publicly disclose conflicts. With that said, we
note that the affiliations of many of the discussion participants are
clearly listed on the wiki [https://wiki.mozilla.org/CA/Policy_Participants
].
The second claim is that the Module Owner has a conflict because he is
employed by Mozilla Corporation and Mozilla Corporation derives its revenue
primarily from search engine providers who also happen to be certificate
authorities. Given the large existing size of the CA market and the
existence of a free certificate authority in the form of Let’s Encrypt, the
link from a potential Google desire to avoid a new entrant to the CA market
to a conflict of interest by a Mozilla employee seems tenuous at best.
Therefore, we do not consider this a significant process issue.
Part 2: Procedural Fairness/Bias
The appeal states:
The Module Owner’s decision making activities, and the supporting actions
of other Mozilla staff, were not procedurally fair, transparent, absent of
bias, nor made in good-faith.
a) The Applicants are headquartered in the United Arab Emirates, and have
wholly-owned subsidiaries domiciled in Canada and the European Union. The
Applicants conduct all of their business strictly in accordance with the
laws of the jurisdictions in which they operate and continue to do so.
Over the past three and half (3.5) years, the Applicants have successfully
completed two (2) Web Trust public audits verifying that the Applicants CA
business is operating in accordance with the technical standards stipulated
within Mozilla Root Store Policy and the latest version of the CA/Browser
Forum Requirements for the Issuance and Management of Publicly-Trusted
Certificates. Furthermore, the Applicants have been ISO9001 and ISO27001
certified in their quality and information systems management as an
independent verification of the management controls and governance in place
for the operations of the business itself.
b) To-date the Applicants have not been cited for any non-compliance with
the laws of the jurisdictions in which they operate, and there has never
been any credible evidence of their malfeasance in any form or shape
whatsoever.
c) Notwithstanding the above, by directly asserting and attributing a false
innuendo of “MitM Certificates” to the Applicants’ intention, the Module
Owner deliberately framed the public discussion about the merits of the
Root Inclusion requests in a significantly detrimental manner from the
outset.
As with Part 1, this misunderstands the purpose of the open discussion,
which is to provide the Module Owner with the information they need to make
a decision, not to form a community consensus with the Module Owner as an
impartial arbiter. Moreover, we don’t agree that the framing was unfair.
The relevant text is:
The rationale for distrust is that multiple sources [1][4][5] have
provided
credible evidence that spying activities, including use of sophisticated
targeted surveillance tools, are a key component of DarkMatter’s business,
and such an organization cannot and should not be trusted by Mozilla. In
the past Mozilla has taken action against CAs found to have issued MitM
certificates [6][7]. We are not aware of direct evidence of misused
certificates in this case. However, the evidence does strongly suggest that
misuse is likely to occur, if it has not already.
This paragraph provides the Module Owner’s rationale for why he is
considering distrust and invites the community to comment on the matter.
This properly frames the matter on which community input is desired and we
do not believe biases the discussion.
Part 3: Abuse of Discretionary Power
The appeal reads:
The Module Owner’s failure to consider relevant factors that should have
been given significant, or equal weight, and deliberate
mischaracterizations of facts intended to inflate the perceived risks of
the Root Inclusion, resulted in an abuse of discretionary power.
This claim is addressed in the analysis above. We believe that the Module
Owner’s decision was within their discretion.
Part 4: Discriminatory Practices
The appeal reads:
The Module Owner conducted his decision making process, and allowed the
distrust discussion to proceed, in a manner contrary to the Mozilla
Foundation commitment to an “Internet that includes all the peoples of the
earth – where a person demographic characteristics do not determine their
online access, opportunities, or quality of experience”.
a) The Applicants notified Mozilla of their Root Inclusion request in
December of 2017. All TLS certificates (both EV and OV) were logged to CT.
The Applicants completed Webtrust certification for CA, for BRs, and for EV
in October 2017, and submitted the United Arab Emirates Global Roots as
well as the Applicants’ own Commercial Roots to Mozilla for inclusion. In
October 2018, the Applicants completed their second year of the required
WebTrust Audits for CA, BRs, and EV and provided the same to Mozilla for
inclusion with their root submission. Mozilla completed a successful
Policy/Process review of and technical review of the UAE Global Roots and
the Applicants’ Commercial Roots in January of 2019. Notwithstanding the
above, nowhere in his decision, nor in the call for distrust, did the
Module Owner provide any weight on the Applicants exemplary conduct in the
CA community as reflected in their WebTrust audits over the period of time
leading up to the distrust discussion.
In February of 2019, citing the disputed Reuters articles, the Module
Owner, and Mozilla staff began the distrust of the UAE Global Roots,
including the Applicants’ Commercial Roots, and implicitly put into
question the right of the United Arab Emirates to operate its existing
public trust subordinate CAs through a commercial party located in the
United Arab Emirates.
This section of the appeal rests on two misconceptions. First, DarkMatter
cites its completion of WebTrust audits as evidence of suitability, but
these audits are a floor, not a ceiling, and the ultimate decision needs to
be based on a judgement of risk, not a mechanical evaluation of audit
compliance. This is made clear in section 7.1 of Mozilla’s Root Store
Policy. Second, this Policy as written is focused entirely on the benefit
of users, not of nation states to operate their own trust anchor. While
there would potentially be concern if UAE citizens were unable to obtain
certificates, this does not appear to be so. As made clear in the Module
Owner’s decision, DigitalTrust is welcome to become ‘a “managed”
subordinate CA under the oversight of an existing trusted CA that retains
control of domain validation and the private keys.’ We consider it a
reasonable conclusion on the part of the Module Owner that this adequately
addresses the needs of UAE citizens for localized issuance.
Part 5: Erroneous Legal Conclusions
The appeal reads:
a) Digital Trust is an affiliate of DarkMatter and has never been owned by
it as a subsidiary since its incorporation in April 2016. Both companies
are subsidiaries of their parent company, Dark Matter Investments. The
Applicants have provided the necessary legal documents to Mozilla, and have
further disclosed all ultimate beneficial shareholders in a transparent
manner.
...
It is a fundamental principle of law that corporations have a statutory
personality distinct from their shareholders. If taken at face value, the
Module Owner’s erroneous assertion would imply that even the Mozilla
Foundation and the Mozilla Corporation do not have the ability to operate
independently, regardless of their names and legal structure.
It should be noted that a number of CAs, e.g. Google and Sectigo, have
complicated ownership structures and this is not cited in their ability to
operate independently. We note that to-date that the Module Owner has not
made this type of claim against any other Mozilla Root Store participant.
Unless the above reasoning is held to be an Erroneous Legal Conclusion made
by the Module Owner this would be, in our view, another new standard that
will be discriminatorily applied only to the Applicants, solely on the
basis of incorporation and residence in the United Arab Emirates.
In our view this confuses a legal standard with a practical standard. The
relevant practical question is whether any (alleged) malfeasance by one of
a pair of sibling companies reflects on another of the pair. In light of
the described structure, this appears to be a reasonable conclusion for the
Module Owner to have made.
Conclusion
Upon review, the TLMC believes that the Module Owner acted reasonably in
recommending the distrust of the existing DarkMatter roots and the denial
of their application. The appeal is denied.
Please find below the TLMC's resolution of Dark Matter's appeal.
-Ekr [for the TLMC]
Introduction
On December 28, 2017, Scott Rae on behalf of Dark Matter filed a bug [
https://bugzilla.mozilla.org/show_bug.cgi?id=1427262] asking for inclusion
in the Mozilla Root store for four new trust anchors:
-
DarkMatter Root CA G3
-
DarkMatter Root CA G4
-
UAE Global Root CA G3
-
UAE Global Root CA G4
A lengthy discussion of the inclusion request ensued on the
mozilla.dev.security.policy list [
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ],
centering on allegations that Dark Matter and/or affiliated companies had
engaged in offensive cyber operations and therefore might pose a risk to
the integrity of the WebPKI. At the conclusion of the discussion, on July
9, 2019, Mozilla CA Certificate Policy Module Owner Wayne Thayer
recommended (1) that the Dark Matter trust anchors not be included and (2)
that the existing intermediate certificate authorities owned by Dark Matter
be revoked. Module Peer Kathleen Wilson concurred. Dark Matter and it’s
affiliate company Digital Trust LLC ) appealed [
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/5P6myAgRDwAJ]
to the Mozilla Board of Directors. However, as appeals in the module system
are handled by the Mozilla TLMC [
https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership], the TLMC is
responding to this appeal.
Review Criteria
The charter of the TLMC [
https://wiki.mozilla.org/Modules/Firefox_Technical_Leadership] states:
The Firefox Technical Leadership module (FTLM) is responsible for
engineering coordination and escalation among the modules that make up
Firefox, including ownership of the top-level module
<https://wiki.mozilla.org/Modules/All#mozilla-toplevel>. The FTLM generally
tries to avoid day-to-day involvement in operation of lower-level modules,
but gets involved with decisions that are explicitly cross-module and with
issues that cannot be resolved at lower levels, such as:
-
Resolution of decisions that do not fall clearly into any specific
module or set of modules
-
Escalation of disputes beyond the module owner level
We believe that this language (“tries to avoid day to day involvement”), as
well as long Mozilla tradition, implies that the TLMC should apply a large
degree of deference to the decisions made by the individual modules,
overriding those decisions only in cases where the TLMC believes it is
necessary, for example, because the decision was clearly wrong or the
process which lead to that decision was substantially flawed. In this case
in particular, there is an extensive question of fact which the Module
Owner was required to assess and, in general, the TLMC should not be second
guessing the Module Owner on such questions.
CA Decision-Making Standard
The Mozilla CA Policy clearly sets forth the standard which the Module
owner is to apply for root inclusion:
We will determine which CA certificates are included in Mozilla's root
program based on the risks of such inclusion to typical users of our
products. We will consider adding additional CA certificates to the default
certificate set upon request only by an authorized representative of the
subject CA. We will make such decisions through a public process.
...
We reserve the right to not include certificates from a particular CA in
our root program. This includes (but is not limited to) cases where we
believe that a CA has caused undue risks to users’ security, e.g. by
knowingly issuing certificates without the knowledge of the entities whose
information is referenced in those certificates ('MITM certificates').
Mozilla is under no obligation to explain the reasoning behind any
inclusion decision. (S 7.1)
Similar language applies to the decision to remove or disable certificates:
Mozilla MAY, at its sole discretion, decide to disable (partially or fully)
or remove a certificate at any time and for any reason. This may happen
immediately or on a planned future date. Mozilla will disable or remove a
certificate if the CA demonstrates ongoing or egregious practices that do
not maintain the expected level of service or that do not comply with the
requirements of this policy. (S 7.3).
This language makes two things clear:
1.
These decisions are to be made based on an assessment of the risks of
inclusion to our users.
2.
The ultimate decisions are entirely discretionary.
For these reasons, we would generally expect to defer to the module owner’s
judgement unless we believed it was clearly wrong.
Basis for the Module Owner’s Decision
The Module Owner’s recommendation can be found here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1427262#c95
The core of the rationale is that there are credible allegations of spying
activity by Dark Matter:
The question that I originally presented [1] to this community was about
distrusting DarkMatter’s current intermediate CA certificates (6 total)
based on credible evidence of spying activities by the company.
The module owner concludes that the possibility that Dark Matter engaged in
spying activity poses an unacceptable risk to our users:
Mozilla’s principles should be at the heart of this decision. “The
Mozilla
Manifesto [10] states:
Individuals’ security and privacy on the internet are fundamental and must
not be treated as optional.”
And our Root Store policy states: “We will determine which CA certificates
are included in Mozilla's root program based on the risks of such inclusion
to typical users of our products.”
In other words, our foremost responsibility is to protect individuals who
rely on Mozilla products. I believe this framing strongly supports a
decision to revoke trust in DarkMatter’s intermediate certificates. While
there are solid arguments on both sides of this decision, it is reasonable
to conclude that continuing to place trust in DarkMatter is a significant
risk to our users. I will be opening a bug requesting the distrust of
DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also
recommend denial of the pending inclusion request, and any new requests
from DigitalTrust.
This rationale -- risk to our users -- is clearly at the heart of the
reasons described in S 7.1 and 7.3 of Mozilla’s Root Store Policy. This
leaves us with two questions (1) whether the module owner’s conclusion that
the allegations were credible was reasonable and (2) whether the module
owner’s conclusion that the allegations, if credible, posed a risk to our
users was reasonable. In both cases, our conclusion is “yes”.
Credibility of the Allegations
There have been extensively reported allegations that DarkMatter was
engaged in offensive cyber operations.
While cybersecurity companies traditionally aim to ensure that the code in
software and hardware is free of flaws — mistakes that malicious hackers
can take advantage of — DarkMatter, according to sources familiar with the
company’s activities, was trying to find and exploit these flaws in order
to install malware. DarkMatter could take over a nearby surveillance camera
or cellphone and basically do whatever it wanted with it — conduct
surveillance, interfere with or change any electronic messages it emitted,
or block the signals entirely. (Intercept, 2016) [
https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/
]
Stroud had been recruited by a Maryland cybersecurity contractor to help
the Emiratis launch hacking operations, and for three years, she thrived in
the job. But in 2016, the Emiratis moved Project Raven to a UAE
cybersecurity firm named DarkMatter. Before long, Stroud and other
Americans involved in the effort say they saw the mission cross a red line:
targeting fellow Americans for surveillance.
...
Mansoor was convicted in a secret trial in 2017 of damaging the country’s
unity and sentenced to 10 years in jail. He is now held in solitary
confinement, his health declining, a person familiar with the matter said.
Mansoor’s wife, Nadia, has lived in social isolation in Abu Dhabi.
Neighbors are avoiding her out of fear security forces are watching.
They are correct. By June 2017 Raven had tapped into her mobile device and
given her the code name Purple Egret, program documents reviewed by Reuters
show.
To do so, Raven utilized a powerful new hacking tool called Karma, which
allowed operatives to break into the iPhones of users around the world
(Reuters 2019) [
https://www.reuters.com/investigates/special-report/usa-spying-raven/]
DarkMatter states in its appeal that “The CEO of DarkMatter has also gone
on the record with various media refuting the baseless and defamatory
allegations”. This obviously creates a requirement to judge the relative
credibility of the claims of DarkMatter versus that of the various news
gathering organizations. In this context, it was not unreasonable for the
Module Owner to treat these allegations, asserted by reputable news
organizations, as credible and take them seriously.
Risk to Our Users
The question then becomes whether it is a potential risk to our users to
allow DarkMatter to operate a certificate authority. At the heart of the
question of whether an entity should be included in our root program is
whether Mozilla can trust them to operate responsibly on behalf of the
user. While it is not predetermined that an entity which has engaged in
offensive cyberoperations would deliberately misissue certificates, it does
not seem implausible either. The issue of corporate separation is raised as
a potential mitigating factor here, namely that the certificate issuing
operation is a different company from that which is allegedly performing
offensive operations. However, as the Module Owner notes, they share owners:
DarkMatter has argued [3] that their CA business has always been operated
independently and as a separate legal entity from their security business.
Furthermore, DarkMatter states that once a rebranding effort is completed,
“the DarkMatter CA subsidiary will be completely and wholly separate from
the DarkMatter Group of companies in their entirety.” However, in the same
message, DarkMatter states that “Al Bannai is the sole beneficial
shareholder of the DarkMatter Group.” and leaves us to assume that Mr. Al
Bannai would remain the sole owner of the CA business. More recently,
DarkMatter announced that they are transitioning all aspects of the
business to DigitalTrust and confirmed that Al Bannai controls this entity.
This ownership structure does not assure me that these companies have the
ability to operate independently, regardless of their names and legal
structure.
This is not an unreasonable concern. In sum, we conclude that it was not
unreasonable for the Module Owner to conclude that the allegations of
misconduct by Dark Matter were credible and that if they were true then
allowing DarkMatter into the root program posed an unacceptable risk to our
users.
Appeal Grounds
As discussed above, taken alone we consider the Module owner’s decision
reasonable. We now turn to the details of DigitalTrust’s appeal, which
focuses largely on process rather than on the merits of the Module Owner’s
decision.
DigitalTrust/Dark Matter’s appeal is in 6 parts. For reference, we link to
each part below along with its initial summary.
Part 1: Conflict of Interest:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Qdfd3wgRDwAJ
Part 2: Procedural Fairness/Bias:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/XpW2-SwMDwAJ
Part 3: Abuse of Discretionary Power
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/Olr1NgoRDwAJ
Part 4: Discriminatory Practices;
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YoUMUAoRDwAJ
Part 5: Erroneous Legal Conclusions:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/bMRuZwoRDwAJ
Part 6: Violation of Anti-Trust Laws:
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/VFc1fwoRDwAJ
We do not believe that the TLMC is an appropriate body to consider part 6,
and therefore we considered only parts 1-5.
Part 1: Conflict of Interest
The appeal reads, in part:
The Module Owner failed to recognize, or blatantly ignored, undisclosed
Conflict of Interests posed by certain participants (including Mozilla
Staff) who represent for-profit corporations with a significant (including,
but not limited, to global market dominance and monopolization power)
economic interest in the outcome of the Applicant’s Root Inclusion, and the
distorting impact of such Conflict of Interests on the Module Owner’s
discretionary decision.
a) The Mozilla Corporation is a wholly-owned for-profit subsidiary of the
Mozilla Foundation. The for-profit Mozilla Corporation provides internet
based browser software and other related services. Access to the entire
global internet traffic is controlled by four (4) Browser Root Stores
(Mozilla Corporation, Google, Microsoft and Apple). Two of these
commercial Browser Root Stores are the most significant search engine
providers on the internet, and therefore have a substantial economic
interest in the global Certificate Authority business (including in the
United Arab Emirates). Approximately 93% to 94% of Mozilla Corporation’s
revenues are derived from such search engine providers. [3]
b) The Module Owner is employed by the for-profit Mozilla Corporation as a
Certificate Authority Program manager. Key Mozilla staff who are involved
in framing the negative media feedback about the Root Inclusion are also
employed by the for-profit Mozilla Corporation. [4] Key CA/Policy
participants in the Mozilla CA Module are also employed by other commercial
Certificate Authorities/or Browser Stores which have a significant economic
stake in the Root Inclusion decision [5].
c) In light of the above, the Module Owner had a responsibility to ensure
that any Conflict of Interests by any participants in the Root Inclusion
discussions are clarified for the record so that undisclosed interests
(including economic market domination and monopolization of the global
Certificate Authority business ecosystem) which may distort the Module
Owner’s decision making process are publicly disclosed for interested
media, the general public, and global trade/competition regulators.
There are two claims here, first that the the participants in the
discussion have a conflict of interest and second that the Module Owner has
a conflict of interest. The first claim misunderstands the structure of the
process, which is one of open input but not consensus decision making. In
this process, the Module Owner takes in input and uses it in whatever form
they deem necessary to make their recommendation/decision. Thus, it is not
necessary that participants publicly disclose conflicts. With that said, we
note that the affiliations of many of the discussion participants are
clearly listed on the wiki [https://wiki.mozilla.org/CA/Policy_Participants
].
The second claim is that the Module Owner has a conflict because he is
employed by Mozilla Corporation and Mozilla Corporation derives its revenue
primarily from search engine providers who also happen to be certificate
authorities. Given the large existing size of the CA market and the
existence of a free certificate authority in the form of Let’s Encrypt, the
link from a potential Google desire to avoid a new entrant to the CA market
to a conflict of interest by a Mozilla employee seems tenuous at best.
Therefore, we do not consider this a significant process issue.
Part 2: Procedural Fairness/Bias
The appeal states:
The Module Owner’s decision making activities, and the supporting actions
of other Mozilla staff, were not procedurally fair, transparent, absent of
bias, nor made in good-faith.
a) The Applicants are headquartered in the United Arab Emirates, and have
wholly-owned subsidiaries domiciled in Canada and the European Union. The
Applicants conduct all of their business strictly in accordance with the
laws of the jurisdictions in which they operate and continue to do so.
Over the past three and half (3.5) years, the Applicants have successfully
completed two (2) Web Trust public audits verifying that the Applicants CA
business is operating in accordance with the technical standards stipulated
within Mozilla Root Store Policy and the latest version of the CA/Browser
Forum Requirements for the Issuance and Management of Publicly-Trusted
Certificates. Furthermore, the Applicants have been ISO9001 and ISO27001
certified in their quality and information systems management as an
independent verification of the management controls and governance in place
for the operations of the business itself.
b) To-date the Applicants have not been cited for any non-compliance with
the laws of the jurisdictions in which they operate, and there has never
been any credible evidence of their malfeasance in any form or shape
whatsoever.
c) Notwithstanding the above, by directly asserting and attributing a false
innuendo of “MitM Certificates” to the Applicants’ intention, the Module
Owner deliberately framed the public discussion about the merits of the
Root Inclusion requests in a significantly detrimental manner from the
outset.
As with Part 1, this misunderstands the purpose of the open discussion,
which is to provide the Module Owner with the information they need to make
a decision, not to form a community consensus with the Module Owner as an
impartial arbiter. Moreover, we don’t agree that the framing was unfair.
The relevant text is:
The rationale for distrust is that multiple sources [1][4][5] have
provided
credible evidence that spying activities, including use of sophisticated
targeted surveillance tools, are a key component of DarkMatter’s business,
and such an organization cannot and should not be trusted by Mozilla. In
the past Mozilla has taken action against CAs found to have issued MitM
certificates [6][7]. We are not aware of direct evidence of misused
certificates in this case. However, the evidence does strongly suggest that
misuse is likely to occur, if it has not already.
This paragraph provides the Module Owner’s rationale for why he is
considering distrust and invites the community to comment on the matter.
This properly frames the matter on which community input is desired and we
do not believe biases the discussion.
Part 3: Abuse of Discretionary Power
The appeal reads:
The Module Owner’s failure to consider relevant factors that should have
been given significant, or equal weight, and deliberate
mischaracterizations of facts intended to inflate the perceived risks of
the Root Inclusion, resulted in an abuse of discretionary power.
This claim is addressed in the analysis above. We believe that the Module
Owner’s decision was within their discretion.
Part 4: Discriminatory Practices
The appeal reads:
The Module Owner conducted his decision making process, and allowed the
distrust discussion to proceed, in a manner contrary to the Mozilla
Foundation commitment to an “Internet that includes all the peoples of the
earth – where a person demographic characteristics do not determine their
online access, opportunities, or quality of experience”.
a) The Applicants notified Mozilla of their Root Inclusion request in
December of 2017. All TLS certificates (both EV and OV) were logged to CT.
The Applicants completed Webtrust certification for CA, for BRs, and for EV
in October 2017, and submitted the United Arab Emirates Global Roots as
well as the Applicants’ own Commercial Roots to Mozilla for inclusion. In
October 2018, the Applicants completed their second year of the required
WebTrust Audits for CA, BRs, and EV and provided the same to Mozilla for
inclusion with their root submission. Mozilla completed a successful
Policy/Process review of and technical review of the UAE Global Roots and
the Applicants’ Commercial Roots in January of 2019. Notwithstanding the
above, nowhere in his decision, nor in the call for distrust, did the
Module Owner provide any weight on the Applicants exemplary conduct in the
CA community as reflected in their WebTrust audits over the period of time
leading up to the distrust discussion.
In February of 2019, citing the disputed Reuters articles, the Module
Owner, and Mozilla staff began the distrust of the UAE Global Roots,
including the Applicants’ Commercial Roots, and implicitly put into
question the right of the United Arab Emirates to operate its existing
public trust subordinate CAs through a commercial party located in the
United Arab Emirates.
This section of the appeal rests on two misconceptions. First, DarkMatter
cites its completion of WebTrust audits as evidence of suitability, but
these audits are a floor, not a ceiling, and the ultimate decision needs to
be based on a judgement of risk, not a mechanical evaluation of audit
compliance. This is made clear in section 7.1 of Mozilla’s Root Store
Policy. Second, this Policy as written is focused entirely on the benefit
of users, not of nation states to operate their own trust anchor. While
there would potentially be concern if UAE citizens were unable to obtain
certificates, this does not appear to be so. As made clear in the Module
Owner’s decision, DigitalTrust is welcome to become ‘a “managed”
subordinate CA under the oversight of an existing trusted CA that retains
control of domain validation and the private keys.’ We consider it a
reasonable conclusion on the part of the Module Owner that this adequately
addresses the needs of UAE citizens for localized issuance.
Part 5: Erroneous Legal Conclusions
The appeal reads:
a) Digital Trust is an affiliate of DarkMatter and has never been owned by
it as a subsidiary since its incorporation in April 2016. Both companies
are subsidiaries of their parent company, Dark Matter Investments. The
Applicants have provided the necessary legal documents to Mozilla, and have
further disclosed all ultimate beneficial shareholders in a transparent
manner.
...
It is a fundamental principle of law that corporations have a statutory
personality distinct from their shareholders. If taken at face value, the
Module Owner’s erroneous assertion would imply that even the Mozilla
Foundation and the Mozilla Corporation do not have the ability to operate
independently, regardless of their names and legal structure.
It should be noted that a number of CAs, e.g. Google and Sectigo, have
complicated ownership structures and this is not cited in their ability to
operate independently. We note that to-date that the Module Owner has not
made this type of claim against any other Mozilla Root Store participant.
Unless the above reasoning is held to be an Erroneous Legal Conclusion made
by the Module Owner this would be, in our view, another new standard that
will be discriminatorily applied only to the Applicants, solely on the
basis of incorporation and residence in the United Arab Emirates.
In our view this confuses a legal standard with a practical standard. The
relevant practical question is whether any (alleged) malfeasance by one of
a pair of sibling companies reflects on another of the pair. In light of
the described structure, this appears to be a reasonable conclusion for the
Module Owner to have made.
Conclusion
Upon review, the TLMC believes that the Module Owner acted reasonably in
recommending the distrust of the existing DarkMatter roots and the denial
of their application. The appeal is denied.
0 new messages