TeliaSonera Request to included Renewed Root

[Kathleen Wilson]

TeliaSonera has applied to add the “TeliaSonera Root CA v1” root
certificate and enable the websites and email trust bits. TeliaSonera
currently has two root certificates included in NSS, “Sonera Class1 CA”
and “Sonera Class2 CA”, that were included as per bug #258416.

TeliaSonera provides telecommunication services in the Nordic and Baltic
countries, the emerging markets of Eurasia, including Russia and Turkey,
and in Spain.

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=539924

And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#TeliaSonera

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=694980

Noteworthy points:

* The CPS documents are provided in English.

Repository: https://repository.trust.teliasonera.com

Root CPS:
http://repository.trust.teliasonera.com/TeliaSonera_Root_CPS_v2.01.pdf

Server Cert CPS:
https://repository.trust.teliasonera.com/TeliaSonera_Server_Certificate_CPS_v1.01.pdf

Organizational User Cert CPS:
https://repository.trust.teliasonera.com/TeliaSonera_Organizational_User_Certificate_CPS_v1.00.pdf

* This root cert has internally-operated subordinate CAs for server,
client, and TeliaSonera internal certificates

* The request is to enable the websites and email trust bits.

* Server Cert CPS section 3.2.3: TeliaSonera has two different server
certificate services:
1) SSL order by public electronic form: TeliSonera authenticates the
administrative contact person defined in the certificate application by
calling the contact person via the Customer’s PBX number or when there
is no switchboard, by making a call to some other number in the
organization, which is looked up from a directory maintained by a third
party.
2) SSL order using TeliaSonera’s self service software: The Customer can
make an agreement with TeliaSonera to act as a Registration Officer
within the Customer Organization (Full SSL Service) and to register
TeliaSonera Server certificates using TeliaSonera’s RA system for
Customers. The Customer Registration Officer is restricted to register
certificates only within their own Organization (O) and the domain names
authorized by the CA. Before enabling the service or adding new
authorized Organization or domain names, the CA verifies the
organization identity and the domain names as described in the section
3.2.2.
When registering Subjects, the identity of the Registration Officer is
verified by means of the Registration Officer’s certificate issued by a
TeliaSonera CA.

* Server Cert CPS section 3.2.2: TeliaSonera verifies domain names and
IP addresses from a database maintained by a reliable third party
registrar e.g.e “domain.fi” (for domain “.fi”), iis.se (for domain
“.se”), ripe.net (for IP addresses) and
www.networksolutions.com/whosis-search (for non-country domains), that
as of the date the Certificate was issued, the Aplication either had the
right to use, or had control of, the Fully-Qualified Domain Names(s) and
IP address(es) listed int e Certificate, or was authorized by a person
having such right or contgrol (e.g. under a Principal-Agent or
Licensor-Licensee relationship) to obtain a Certificate Containing the
Fully-Qualfiied Domain mames(s) and IP address(es).

* Bug Comment #2: In enterprise RA cases when Customer Registration
Officer is allowed to enroll server certificates for his/her
organization each organization and domain value is first inspected by
TeliaSonera Registration Officer using the documented checking rules.
Then the values are added to the configuration of that customer so that
later the customer can use same values without a new verification.

* Organizational User Cert CPS section 3.2.3: The procedures to
authenticate the identity of the Subject vary between the different
TeliaSonera certificate services:
** TeliaSonera Class 1 CA v1 – TeliaSonera or Customer Registration
Officer is responsible for authenticating the Subject data according to
Organization’s internal policies. Subject authentication is typically
based on a previously recorded ownership of Customer’s email address,
device, or mobile phone number.
If Common Name or dnsName field of Subject Alternative Name includes
public domain names, TeliaSonera verifies that Customer Organization has
right to use them by checking the ownership from the official records
(e.g. domain.fi (.fk), iis.se (.se) or
www.networksolutions.com/whoi-search). A written permission from the
registered legal owner is an alternative.
TeliaSonera verifies the ownership of an email address by sending a
one-time-password to the applied email-address. Then the Subject entity
must use the password within limited time frame to prove the access to
the email-address. In Enterprise RA cases email-address can be taken
from reliable internal source of the Subscriber without additional
verification by one-time-password.
** TeliaSonera Class 2 CA v1 – Customer or TeliaSonera Registration
Officer is responsible for authenticating the Subject. The Registration
Officers are obliged to follow the policies and instructions given by
the CA.
The Registration officer should use Organization’s previously recorded
directories, databases or other similar information on Organization’s
employees, partners or devices to verify the Subject information
including the email address, Or the Registration Officer should verify
the information by checking the Subject’s identity card.
** TeliaSonera Email CA v3 – Certificates are issued to employees within
the TeliaSonera Group and individuals contracted by TeliaSonera. The
Subscriber is authenticated using a username and password and
information stored in TeliaSonera’s directories or databases.

* EV Policy OID: Not applicable.

* Root Cert Download URL:
http://repository.trust.teliasonera.com/teliasonerarootcav1.cer

* Test URL: https://juolukka.cover.sonera.net:10443/

* CRL
http://crl-2.trust.teliasonera.com/teliasonerarootcav1.crl
http://crl-3.trust.teliasonera.com/teliasonerarootcav1.crl (NextUpdate:
7 days)
Root CPS Section 4.9.7: CRLs are published at least once in a day. The
CRL validity period is 168 hours. (7 days)

* OCSP: http://ocsp.trust.teliasonera.com/

* Audit: Annual WebTrust audits are performed by Ernst & Young and
posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1369 (2012.03.31)

Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices):
* Issuing end entity certificates directly from roots
** Bug Comment #2: We are stopping this problematic practice during this
year when our new TeliaSonera CAs are replacing the old Sonera CAs.

This begins the discussion of the request from TeliaSonera to add the
“TeliaSonera Root CA v1” root certificate and enable the websites and
email trust bits. At the conclusion of this discussion, I will provide a
summary of issues noted and action items. If there are no outstanding
issues, then this request can be approved. If there are outstanding
issues or action items, then an additional discussion may be needed as
follow-up.

Kathleen

[petter.l...@gmail.com]

I have read the information and can verify it is correct.
Petter Ljunggren

[Kathleen Wilson]

All,

Please review and comment on this request from TeliaSonera to add their
next generation root certificate.

If no concerns are raised, then early next week I plan to close this
discussion and recommend approval in the bug.

Thanks,
Kathleen

[ch...@soghoian.net]

This is the same TeliaSonera that has been accused of assisting the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan with their efforts to spy on journalists, union leaders, and members of the political opposition?

See 1 hour documentary on the topic here:
http://vimeo.com/41248885

One whistle-blower who worked for Teliasonera told the documentary reporters, “The Arab Spring prompted the regimes to tighten their surveillance. ... There’s no limit to how much wiretapping is done, none at all.”

EFF's blog post:
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its

Slate's story:
http://www.slate.com/blogs/future_tense/2012/04/30/black_box_surveillance_of_phones_email_in_former_soviet_republics_.html

Why would we want to expand the ability of this company to create MiTM certificates Firefox users? If anything, we should be discussing kicking them out of the CA trust database.

If you want to be in the surveillance business, you shouldn't get to be a CA too.

[Moudrick M. Dadashov]

Chris, while I 100% agree with you. Your list of TeliaSonera
"achievements" are far from being complete.

Not so long ago, like yourself, I've presented the similar arguments
against a TeiaSonera controlled CA from Estonia (aka a pocket CA). Even
though the CA failed to address elementary questions (re: outsourced RA,
OCSP practices etc.) they are in the trusted Root list now. This is
definitely unfortunate, a trusted entity can't be half pregnant (CA's
corrupted el. signature business doesn't effect its SSL service..).

TeliaSonera is not an organization like most of us are familiar with.
TeliaSonera is an umbrella for tens or maybe even hundreds of
"independent" entities, its a network of organizations. I've never seen
so deeply corrupted infrastructure like TeliaSonera. But anyway, let's
help the community to understand why we should NOT trust TeliaSonera in
terms of this Root program requirements.

So far I was able to review only one document: TeliaSonera – Root
Certification Practice Statement – v. 2.01. From what I've learned from
this document they are "upgrading" a geographically limited Root with
one that is geographically unlimited. The unlimited Root is going to
host an issuing CAs for a client e.g. for a good President of country X.

TeliaSonera, could you please explain us why you need this
geographically unrestricted Root CA?

Thank you and please don't take this personal..

M.D.

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Moudrick M. Dadashov]

Chris, while I 100% agree with you. Your list of TeliaSonera
"achievements" are far from being complete.

Not so long ago, like yourself, I've presented the similar arguments
against a TeiaSonera controlled CA from Estonia (aka a pocket CA). Even
though the CA failed to address elementary questions (re: outsourced RA,
OCSP practices etc.) they are in the trusted Root list now. This is
definitely unfortunate, a trusted entity can't be half pregnant (CA's
corrupted el. signature business doesn't effect its SSL service..).

TeliaSonera is not an organization like most of us are familiar with.
TeliaSonera is an umbrella for tens or maybe even hundreds of
"independent" entities, its a network of organizations. I've never seen
so deeply corrupted infrastructure like TeliaSonera. But anyway, let's
help the community to understand why we should NOT trust TeliaSonera in
terms of this Root program requirements.

So far I was able to review only one document: TeliaSonera – Root
Certification Practice Statement – v. 2.01. From what I've learned from
this document they are "upgrading" a geographically limited Root with
one that is geographically unlimited. The unlimited Root is going to
host an issuing CAs for a client e.g. for a good President of country X.

TeliaSonera, could you please explain us why you need this
geographically unrestricted Root CA?

Thank you and please don't take this personal..

M.D.

On 3/1/2013 2:19 PM, ch...@soghoian.net wrote:

[Tom Lowenthal]

I think that Chris and Moudrick are pointing out that TeliaSonera has a history of taking actions hazardous to users, and that this provokes a reasonable suspicion that they would act similarly in future, even if such action would not comply with our CA agreement.

The particular suspicion seem to be that they would comply with state actors to engage in communications interception and surveillance. Perhaps some of this interception might be subject to the laws (or norms) of some of the countries in which TeliaSonera operates, but some may be extra-legal, or international. Based on past performance, we could expect such interception -- legal/normal or otherwise -- to be disproportionately targeted towards political dissidents, to be substantially contrary to the interests of those users, and potentially to have lethal or personal safety consequences for such users, their family, or their colleagues.

* * * * *

Again it seems that we have to re-visit the question of what kind of evidence or suspicion of misbehavior justifies rejection of a root request. I suggest that the evidence of previous malpractice and unethical behavior is sufficient in this case.

[Stephen Schultze]

Based on the ample evidence of non-trustworthy behavior, I propose that
TeliaSonera's existing roots be removed from the trusted root database.

Inclusion of roots by this company do not pass the straight-face test if
you ask whether they cause "cause undue risks to users' security."

Steve

On 3/1/13 7:19 AM, ch...@soghoian.net wrote:
> This is the same TeliaSonera that has been accused of assisting the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan with their efforts to spy on journalists, union leaders, and members of the political opposition?
>
> See 1 hour documentary on the topic here:
> http://vimeo.com/41248885
>

> One whistle-blower who worked for Teliasonera told the documentary reporters, “The Arab Spring prompted the regimes to tighten their surveillance. .... There’s no limit to how much wiretapping is done, none at all.”

[Moudrick M. Dadashov]

Anybody on this list familiar how ACB/ITSS works?
https://www.rtgserver.net/

a sample report:
http://www.dbs.lt/show_big_img.php?src=./att_files/img9_3020.jpg#

Manufacturer:
Cibertec International S.A., http://www.cibertec.com/

Countries where TeliaSonera deployed this "value-added service":
Costa Rica, Panama, Nicaragua, Honduras, Ukraine, Latvia, Lithuania,
Philippines, Singapore, Morocco, Colombia, Malaysia, Mexico, Ecuador,
Caribbean Islands, BVI, Jamaica, Cayman Is, Barbados, Armenia, Kirgizstan...

ACB/ITSS is a fixed voice network spying system and philosophy of
TeliaSonera's business model: Pecunia non olet.

IMO TeliaSonera Root inclusion request must be declined because of
unacceptable business practices.

Forward this email to someone from EU authorities and/or Swedish
Government you know.

Thanks,
M.D.
P.S. More first hand corruption related facts available.

[Moudrick M. Dadashov]

Anybody on this list familiar how ACB/ITSS works?
https://www.rtgserver.net/

a sample report:
http://www.dbs.lt/show_big_img.php?src=./att_files/img9_3020.jpg#

Manufacturer:
Cibertec International S.A., http://www.cibertec.com/

Countries where TeliaSonera deployed this "value-added service":
Costa Rica, Panama, Nicaragua, Honduras, Ukraine, Latvia, Lithuania,
Philippines, Singapore, Morocco, Colombia, Malaysia, Mexico, Ecuador,
Caribbean Islands, BVI, Jamaica, Cayman Is, Barbados, Armenia, Kirgizstan...

ACB/ITSS is a fixed voice network spying system and philosophy of
TeliaSonera's business model: Pecunia non olet.

IMO TeliaSonera Root inclusion request must be declined because of
unacceptable business practices.

Forward this email to someone from EU authorities and/or Swedish
Government you know.

Thanks,
M.D.
P.S. More first hand corruption related facts available.

On 3/2/2013 7:58 PM, Tom Lowenthal wrote:

[pekka.la...@teliasonera.com]

Please check www.teliasonera.com/newsroom for current and correct information regarding our business as well as our operation in Eurasia. Should concerns still remain happy to discuss.

Reasons to upgrade TeliaSonera CA Root certificate are simply:
• Longer validity time for business continuity
• Longer key length: 2k -> 4k
• New company name: Sonera -> TeliaSonera
• New CA hierarchy to stop using Root CA to sign end-entity certificates

This TeliaSonera Root CA issues public certificates only to Swedish and Finnish customers and citizens. Both countries have their own RA and sub CA under the new root: “TeliaSonera Class1 CA v1” for certificates issued from Finland and “TeliaSonera Class2 CA v1” for certificates issued from Sweden. All our processes and certificates are following Mozilla requirements and are validated yearly in Webtrust audit.

[Martin Millnert]

Hi,

On Wed, 2013-03-06 at 03:21 -0800, pekka.la...@teliasonera.com
wrote:

> Please check www.teliasonera.com/newsroom for current and correct
> information regarding our business as well as our operation in
> Eurasia. Should concerns still remain happy to discuss.

I checked the link and found a factbook on TeliaSonera in Eurasia, [0],
but I don't see any response to the criticism brought up in [1] [2] [3]
in it.

Has this criticism been met elsewhere, which I missed on the link?

If the criticism is incorrect I imagine it should be trivial to reject
it.

[4] makes you doubt though:
"We have a clear policy in place to ensure that all requests are handled
in a legally correct way, and we aim to communicate them on our
corporate website /to the extent possible/." - emphasis mine.

Best regards,
Martin

[0] http://www.teliasonera.com/Documents/Public%20policy%
20documents/TeliaSonera_Factbook_Eurasia_01022013.pdf
[1]
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its
[2]
http://www.slate.com/blogs/future_tense/2012/04/30/black_box_surveillance_of_phones_email_in_former_soviet_republics_.html
[3] http://vimeo.com/41248885
[4]
http://www.teliasonera.com/en/newsroom/news/2012/tcell-restricts-access-to-facebook-after-legal-request/

[Martin Millnert]

Hi,

On Wed, 2013-03-06 at 03:21 -0800, pekka.la...@teliasonera.com
wrote:

> Please check www.teliasonera.com/newsroom for current and correct
> information regarding our business as well as our operation in
> Eurasia. Should concerns still remain happy to discuss.

[Stephen Schultze]

I asked Sarah Kendzior, an anthropologist who studies the internet in
eastern Europe, about this thread. She said:

===
Hi Stephen. I read through the Google thread on Telisasonera and I
absolutely agree with you, Chris Soghoian and others who see Teliasonera
as corrupt and untrustworthy. As he noted, they have assisted the
repressive governments of many former Soviet states and are currently
involved in a money laundering/bribery scandal in Uzbekistan, one of the
worst dictatorships in the world. Their main point of contact is Gulnara
Karimova, the daughter of the Uzbek president who is essentially a
mafioso princess; she has a history of corrupt business dealings going
back decades.

Teliasonera has tried to blame the Uzbek scandal on their efforts to "do
business in a corrupt country" instead of on their own corruption, but
they have engaged in similar deals with the former royal family of
Nepal, who have a long history of shady deals, as well as the other
countries Soghoian mentions. The problem is with Teliasonera -- the
countries and people they choose to work with are a reflection of their
own ethics.

Eurasianet and Radio Free Europe, which specialize in reporting on the
former Soviet Union, have been following the Teliasonera case closely.
Here are a couple of suggested links:

http://www.rferl.org/content/uzbekistan-teliasonera-ceo-quits/24890276.html

http://www.eurasianet.org/node/66375

Joanna Lillis at Eurasianet has done solid reporting on this; her other
articles are worth checking out too.

Hope this helps!

Sarah
===

[Erwann Abalea]

Le jeudi 28 février 2013 02:01:35 UTC+1, Kathleen Wilson a écrit :
> Please review and comment on this request from TeliaSonera to add their
> next generation root certificate.
>
> If no concerns are raised, then early next week I plan to close this
> discussion and recommend approval in the bug.

Reading the other messages, it looks like the "no comment means approval" isn't always a valid approach (I'm not saying it's always wrong).
By chance, the detractors here aren't behind a GFW-like barrier.

Nothing have been showed proving they mis-behaved in their CA role. That was the argument to approve CNNIC.
On the other hand, the company seems to mis-behave on some markets, with eavesdropping activities. Being a CA extends the ability to spy on users.

I agree with Tom's post (every word of it).

[Peter Kurrasch]

Previously...

> Nothing have been showed proving they mis-behaved in their CA role. That was the argument to approve CNNIC.
> On the other hand, the company seems to mis-behave on some markets, with eavesdropping activities. Being a CA extends the ability to spy on users.

In fact, I think we've been discussing on this list that root CA's are
responsible for their subordinates. Ergo, TeliaSonera bears
responsibility for the well-documented misdeeds by organizations that
chain up to their roots.

In light of all that has been presented on this list it seems clear that
TeliaSonera should be prohibited from participating in the Mozilla
trusted root program. This means that the current request be denied as
well as future requests. I think an argument could be made that a
permanent block be added to Mozilla products for current/known roots.
After all, the same action was taken after the DigiNotar fiasco and what
TeliaSonera is doing now is just as bad--if not, worse.

[Kathleen Wilson]

I think that we can take this a step further...

There appears to be evidence of TeliaSonera *currently* providing
software/services/devices (?) that enable their customers to engage in
communications interception and surveillance. Additionally, it appears
that TeliaSonera is *currently* providing such services to oppressive
regimes.

If they are *currently* engaging in this practice, then it's a very
small step for them to also include certificates chaining up to their
publicly trusted roots.

Many software companies (including some who have become CAs) made the
mistake years ago of selling software that basically did MITM type
things. However, all software companies (especially CAs) should know by
now the risk involved in selling such software. In my opinion, it is
very dangerous for any publicly-trusted CA to also be in the business of
selling software/services that can be used for communications
interception and surveillance. It is even more obviously dangerous for a
publicly-trusted CA to be selling such services to oppressive regimes.
Perhaps we can add policy that publicly-trusted CAs must not supply
surveillance equipment to repressive regimes -- suggestions on wording
and where to begin are welcome. In the meantime, we can still take action.

Based on the articles that I've reviewed, I think there may be
sufficient evidence that TeliaSonera has been recently selling something
to oppressive regimes that may have been used for "spying."

I will greatly appreciate it if you can all help develop this evidence
by providing specifics about what exactly it is that TeliaSonera has
been selling and how it is used for spying by the oppressive regimes
that are their customers.

Thanks,
Kathleen
--

[ch...@soghoian.net]

Kathleen,

I welcome (and applaud) your statement that "it is very dangerous for any publicly-trusted CA to also be in the business of selling software/services that can be used for communications interception and surveillance."

I am also delighted to hear that you are open to the idea of punishing TeliaSonera for its role in facilitating surveillance in multiple countries.

Mozilla can and should establish a policy that CAs may not also be in the surveillance business. However, I see no reason to limit such a prohibition to the sale of surveillance technologies or services to authoritarian governments. The prohibition should apply to all governments.

I don't think I am alone in saying that I don't want a company that provides surveillance technology or services to any government - my own country, another western country, or anywhere else in the world to be trusted by my web browser with MiTM powers.

TeliaSonera provides us with a good opportunity to open the books, and consider a broader anti-surveillance CA policy. That TeliaSonera is assisting human rights abusing governments is of course bad, but that they are merely in the surveillance business should be more than enough of a reason to kick them out of the trust database.

Finally, it is worth noting that security experts have been raising similar concerns for nearly a decade. See I. Grigg and A. Shostack. VeriSign and Conficts of Interest, February 2 2005. http://forum.icann.org/lists/net-rfp-verisign/msg00008.html.

Thanks,

Chris

[Eitan Adler]

On 12 March 2013 00:50, <ch...@soghoian.net> wrote:
> Kathleen,
>
> I welcome (and applaud) your statement that "it is very dangerous for any publicly-trusted CA to also be in the business of selling software/services that can be used for communications interception and surveillance."
>
> I am also delighted to hear that you are open to the idea of punishing TeliaSonera for its role in facilitating surveillance in multiple countries.
>
> Mozilla can and should establish a policy that CAs may not also be in the surveillance business. However, I see no reason to limit such a prohibition to the sale of surveillance technologies or services to authoritarian governments. The prohibition should apply to all governments.

+1. Mozilla should not be in the business of deciding which
governments that conduct surveillance are 'good' and which are 'bad'.
There should be a blanket policy prohibiting companies that sell
communications interception or surveillance software or services from
being considered a publicly-trusted CA.

--
Eitan Adler

[Kathleen Wilson]

Some things we should consider...

1) I think it's safe to assume that every government has some sort of
reconnaissance surveillance and intelligence systems organization. So
then wouldn't every government CA fall into this category? We've tried
many times to figure out what to do about government CAs
(https://wiki.mozilla.org/CA:GovernmentCAs), but I don't believe we
should simply ban all government CAs.

2) There are some very large non-government organizations that have a
broad set of products, they may have grown through acquisitions, and may
have several independently-operated subsidiaries. Let's imagine an
example and say that a particular company has one subsidiary that sells
Sonicwall devices, and another subsidiary that is a publicly trusted CA.
Would it be reasonable to kick that CA out of Mozilla's program? What if
that CA has been a good-behaving CA for many years and is regularly
audited, and their is no evidence that they are not keeping their CA
program independent other than the umbrella company that owns them?

3) Is it the responsibility of the company selling their products to
make sure they are not used inappropriately? This question applies to
selling computers, telecommunications devices, other electronic devices,
etc.

4) Is there a clear distinction that can be used to identify which
products are "surveillance products"? (Can't any computer be used for
surveillance?)

5) Is there a clear distinction that can be used to identify which
countries have oppressive regimes? Is it reasonable to prohibit
companies from selling their products in those countries?

6) Mozilla's policy says: "Mozilla may, at its sole discretion, disable
(partially or fully) or remove a certificate at any time and for any
reason." However, (despite all the mean words that get thrown at me) I
do try to run the program in a fair, open, and impartial manner. It can
be very difficult to distinguish between a smear campaign and a truly
bad-acting CA, especially when there is another language, culture, and
politics involved.


Kathleen

[Peter Kurrasch]

On 03.12.2013 11:41 AM, Kathleen Wilson wrote:
> Some things we should consider...
>
> 1) I think it's safe to assume that every government has some sort of
> reconnaissance surveillance and intelligence systems organization. So
> then wouldn't every government CA fall into this category? We've tried
> many times to figure out what to do about government CAs
> (https://wiki.mozilla.org/CA:GovernmentCAs), but I don't believe we
> should simply ban all government CAs.

I would put it a little differently. I think we have every reason to
assume that major world governments have "special" arrangements with the
major players in the root CA game. It is those relationships that
should be scrutinized and handled accordingly. Obviously by their very
nature it is hard to learn about any such arrangements, but I
nonetheless would say that is where our concern lies. If a government
wishes to operate as a CA itself it deserves the same scrutiny as any
other CA (see also my comments below).

> 2) There are some very large non-government organizations that have a
> broad set of products, they may have grown through acquisitions, and
> may have several independently-operated subsidiaries. Let's imagine an
> example and say that a particular company has one subsidiary that
> sells Sonicwall devices, and another subsidiary that is a publicly
> trusted CA. Would it be reasonable to kick that CA out of Mozilla's
> program? What if that CA has been a good-behaving CA for many years
> and is regularly audited, and their is no evidence that they are not
> keeping their CA program independent other than the umbrella company
> that owns them?

I would say this be handled on a case-by-case basis. So much would
depend on the nature of the ownership and the ways in which trust has
been violated.

I would add that past behavior is not necessarily a predictor for future
good deeds. Changes in management within an organization can lead to a
change in principles and priorities. Such changes can affect how we (as
outsiders) feel about the organization and how much trust we are willing
to extend.

> 3) Is it the responsibility of the company selling their products to
> make sure they are not used inappropriately? This question applies to
> selling computers, telecommunications devices, other electronic
> devices, etc.

For the purposes of establishing and maintaining the idea of trust I
think this is an easy one: absolutely yes. It's not enough for me to
grab a crypto box of some sort--I also have to know how to decode the
data. If I can steal a private key, trust has been broken. If the
producer of the box is complicit in providing me with a backdoor means
to decode the data, trust is just as broken.

> 4) Is there a clear distinction that can be used to identify which
> products are "surveillance products"? (Can't any computer be used for
> surveillance?)

I don't think such a distinction is necessary--spying is spying. CA's
are not to issue certs or divulge private keys (or ???) in order to
facilitate spying (again, see my comments below).

> 5) Is there a clear distinction that can be used to identify which
> countries have oppressive regimes? Is it reasonable to prohibit
> companies from selling their products in those countries?

I'm sure there are but I think it would be best to avoid that
philosophical discussion if possible (and see my comments below). If
you are an employer trying to spy on your employees or some regime
trying to silence the opposition, I don't think it matters much for our
purposes here.

> 6) Mozilla's policy says: "Mozilla may, at its sole discretion,
> disable (partially or fully) or remove a certificate at any time and
> for any reason." However, (despite all the mean words that get thrown
> at me) I do try to run the program in a fair, open, and impartial
> manner. It can be very difficult to distinguish between a smear
> campaign and a truly bad-acting CA, especially when there is another
> language, culture, and politics involved.

I think you do a good job! and you are as fair, open, and impartial as
anyone can reasonably expect!

At the risk of over simplifying, I think this entire discussion can be
boiled down to one word: trust.

1) We are talking about the "trusted store" for root CAs, and we enable
"trust bits" on certain certificates. Trust is at the very core of what
we're doing here. Trust is the foundation of PKI writ large!

2) Once trust is lost it is very hard to regain it (and this can be
said of any organization--the New York Times went through this some
years ago when it had trouble with reporters plagiarizing or forging
articles). As such, it is in Mozilla's profound interest to establish
and maintain that trust (hence the policy allowing Mozilla to act on its
own). Failure to do so would have serious consequences to Mozilla
products and the organizational mission.

3) We (Mozilla and contributors) do our best to ensure that only those
certs that are "believed to be good" get included in the trusted store.
This is not a perfect nor exact process, but we employ the relevant
standards, recommendations, best practices, and common sense in an
effort to reach a conclusion.

4) Likewise, we strive to block those certs that are "known to be
bad". Whether compromised by theft, negligence, or bad acts we discuss
the situation and act accordingly (including disabling or removing
certs). Some recent examples (with various outcomes) include DigiNotar,
the recent Turktrust flap, and now TeliaSonera.

5) When rendering a decision to remove/disable a CA from the trusted
store, I think the policy should be to record the reason for the action
(somewhere on the wiki?) and include links to articles, etc. that were
used to reach that conclusion. I would say that if you have 3 or 4
independent and objective reports documenting a bad act, that should be
sufficient. Also by making the links public we allow for the
possibility to revisit the issue should one or more reports prove
fraudulent--or more information otherwise become available. In other
words, perhaps a "known to be bad" agency could one day be "believed to
be good".

I hope the above stimulates further discussion!

[Jean-Marc Desperrier]

Stephen Schultze a écrit :

> Their main point of contact is Gulnara Karimova, the daughter of the
> Uzbek president who is essentially a mafioso princess; she has a history
> of corrupt business dealings going back decades.

Oh, so that's the girl with whom Depardieu is singing ...

[irene...@teliasonera.com]

On Saturday, 22 December 2012 00:46:53 UTC+1, Kathleen Wilson wrote:
> TeliaSonera has applied to add the “TeliaSonera Root CA v1” root certificate and enable the websites and email trust bits. TeliaSonera currently has two root certificates included in NSS, “Sonera Class1 CA” and “Sonera Class2 CA”, that were included as per bug #258416. TeliaSonera provides telecommunication services in the Nordic and Baltic countries, the emerging markets of Eurasia, including Russia and Turkey, and in Spain. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=539924 And in the pending certificates list here: http://www.mozilla.org/projects/security/certs/pending/#TeliaSonera Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=694980 Noteworthy points: * The CPS documents are provided in English. Repository: https://repository.trust.teliasonera.com Root CPS: http://repository.trust.teliasonera.com/TeliaSonera_Root_CPS_v2.01.pdf Server Cert CPS: https://repository.trust.teliasonera.com/TeliaSonera_Server_Certificate_CPS_v1.01.pdf Organizational User Cert CPS: https://repository.trust.teliasonera.com/TeliaSonera_Organizational_User_Certificate_CPS_v1.00.pdf * This root cert has internally-operated subordinate CAs for server, client, and TeliaSonera internal certificates * The request is to enable the websites and email trust bits. * Server Cert CPS section 3.2.3: TeliaSonera has two different server certificate services: 1) SSL order by public electronic form: TeliSonera authenticates the administrative contact person defined in the certificate application by calling the contact person via the Customer’s PBX number or when there is no switchboard, by making a call to some other number in the organization, which is looked up from a directory maintained by a third party. 2) SSL order using TeliaSonera’s self service software: The Customer can make an agreement with TeliaSonera to act as a Registration Officer within the Customer Organization (Full SSL Service) and to register TeliaSonera Server certificates using TeliaSonera’s RA system for Customers. The Customer Registration Officer is restricted to register certificates only within their own Organization (O) and the domain names authorized by the CA. Before enabling the service or adding new authorized Organization or domain names, the CA verifies the organization identity and the domain names as described in the section 3.2.2. When registering Subjects, the identity of the Registration Officer is verified by means of the Registration Officer’s certificate issued by a TeliaSonera CA. * Server Cert CPS section 3.2.2: TeliaSonera verifies domain names and IP addresses from a database maintained by a reliable third party registrar e.g.e “domain.fi” (for domain “.fi”), iis.se (for domain “.se”), ripe.net (for IP addresses) and www.networksolutions.com/whosis-search (for non-country domains), that as of the date the Certificate was issued, the Aplication either had the right to use, or had control of, the Fully-Qualified Domain Names(s) and IP address(es) listed int e Certificate, or was authorized by a person having such right or contgrol (e.g. under a Principal-Agent or Licensor-Licensee relationship) to obtain a Certificate Containing the Fully-Qualfiied Domain mames(s) and IP address(es). * Bug Comment #2: In enterprise RA cases when Customer Registration Officer is allowed to enroll server certificates for his/her organization each organization and domain value is first inspected by TeliaSonera Registration Officer using the documented checking rules. Then the values are added to the configuration of that customer so that later the customer can use same values without a new verification. * Organizational User Cert CPS section 3.2.3: The procedures to authenticate the identity of the Subject vary between the different TeliaSonera certificate services: ** TeliaSonera Class 1 CA v1 – TeliaSonera or Customer Registration Officer is responsible for authenticating the Subject data according to Organization’s internal policies. Subject authentication is typically based on a previously recorded ownership of Customer’s email address, device, or mobile phone number. If Common Name or dnsName field of Subject Alternative Name includes public domain names, TeliaSonera verifies that Customer Organization has right to use them by checking the ownership from the official records (e.g. domain.fi (.fk), iis.se (.se) or www.networksolutions.com/whoi-search). A written permission from the registered legal owner is an alternative. TeliaSonera verifies the ownership of an email address by sending a one-time-password to the applied email-address. Then the Subject entity must use the password within limited time frame to prove the access to the email-address. In Enterprise RA cases email-address can be taken from reliable internal source of the Subscriber without additional verification by one-time-password. ** TeliaSonera Class 2 CA v1 – Customer or TeliaSonera Registration Officer is responsible for authenticating the Subject. The Registration Officers are obliged to follow the policies and instructions given by the CA. The Registration officer should use Organization’s previously recorded directories, databases or other similar information on Organization’s employees, partners or devices to verify the Subject information including the email address, Or the Registration Officer should verify the information by checking the Subject’s identity card. ** TeliaSonera Email CA v3 – Certificates are issued to employees within the TeliaSonera Group and individuals contracted by TeliaSonera. The Subscriber is authenticated using a username and password and information stored in TeliaSonera’s directories or databases. * EV Policy OID: Not applicable. * Root Cert Download URL: http://repository.trust.teliasonera.com/teliasonerarootcav1.cer * Test URL: https://juolukka.cover.sonera.net:10443/ * CRL http://crl-2.trust.teliasonera.com/teliasonerarootcav1.crl http://crl-3.trust.teliasonera.com/teliasonerarootcav1.crl (NextUpdate: 7 days) Root CPS Section 4.9.7: CRLs are published at least once in a day. The CRL validity period is 168 hours. (7 days) * OCSP: http://ocsp.trust.teliasonera.com/ * Audit: Annual WebTrust audits are performed by Ernst & Young and posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=1369 (2012.03.31) Potentially Problematic Practices (http://wiki.mozilla.org/CA:Problematic_Practices): * Issuing end entity certificates directly from roots ** Bug Comment #2: We are stopping this problematic practice during this year when our new TeliaSonera CAs are replacing the old Sonera CAs. This begins the discussion of the request from TeliaSonera to add the “TeliaSonera Root CA v1” root certificate and enable the websites and email trust bits. At the conclusion of this discussion, I will provide a summary of issues noted and action items. If there are no outstanding issues, then this request can be approved. If there are outstanding issues or action items, then an additional discussion may be needed as follow-up. Kathleen

TeliaSonera was founded in the 1850’s and has its roots in the Nordic telecom market. We are pioneers of the telecom industry, one of the inventors of mobile communications and founders of GSM. Today we help our more than 71 million subscribers in the Nordic and Baltic countries, Eurasia and Spain to communicate by providing high quality telecommunication services. We are also the leading European wholesale provider with a wholly-owned international carrier network.

As for all operators - TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime. This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation. Together with a group of other international telecom companies TeliaSonera formed the Industry Dialogue 2011 to discuss freedom of expression and privacy rights in the sector, in the context of the UN Guiding Principles on Business and Human Rights. Standing together enables the participating companies to act in the same, sustainable manner. The collaboration is the beginning of a common journey.

Through our presence in Eurasia, we are generating growth for our shareholders, but even more important are the opportunities that our services create in the countries where we have set up business. Few tools are better for economic and personal development than access to the internet and mobile telephony. They enable people to communicate with each other and the outside world in a way that was not possible a few years ago, and they open up previously closed societies to the outside world. Our contribution is through our investment in important infrastructure, and through provision of communication services at affordable prices to the vast majority of the population.

[irene...@teliasonera.com]

Official reply from TeliaSonera.

TeliaSonera was founded in the 1850’s and has its roots in the Nordic telecom market. We are pioneers of the telecom industry, one of the inventors of mobile communications and founders of GSM. Today we help our more than 71 million subscribers in the Nordic and Baltic countries, Eurasia and Spain to communicate by providing high quality telecommunication services. We are also the leading European wholesale provider with a wholly-owned international carrier network.

As for all operators - TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime. This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation. Together with a group of other international telecom companies TeliaSonera formed the Industry Dialogue 2011 to discuss freedom of expression and privacy rights in the sector, in the context of the UN Guiding Principles on Business and Human Rights. Standing together enables the participating companies to act in the same, sustainable manner. The collaboration is the beginning of a common journey.

Through our presence in Eurasia, we are generating growth for our shareholders, but even more important are the opportunities that our services create in the countries where we have set up business. Few tools are better for economic and personal development than access to the internet and mobile telephony. They enable people to communicate with each other and the outside world in a way that was not possible a few years ago, and they open up previously closed societies to the outside world. Our contribution is through our investment in important infrastructure, and through provision of communication services at affordable prices to the vast majority of the population.

Irene Krohn, Senior Media Relation Manager

[ch...@soghoian.net]

TeliaSoner has now confirmed, via the press release posted to this group by their public relations manager, that they are in the interception business. Although they insist that they do not provide any interception services beyond those required by law in the countries that they operate, that should not impact Mozilla's decision.

There are plenty of certificate authorities out there, including many that are not in the surveillance business, and want nothing to do with it. Mozilla can and should use its power to force these companies to pick which market they want to be in - they can either provide wiretaps or HTTPS certificates, but not both.

In many countries (including the US), telecommunications carriers are required to provide surveillance assistance to governments. This will likely mean that telecommunications carriers will not be able to be in the certificate business.

Due to the really nasty governments that TeliaSonera has assisted, I think that Mozilla should promptly move towards kicking the company out of the CA database. In the long term, Mozilla should also embrace a broader anti-surveillance policy (with sufficient notice, large conglomerates with surveillance and CA divisions will be able to sell their CA division to another company that is not in the surveillance business).

As for how to identify which companies sell surveillance technology and services: As a general rule of thumb, if a company offers "lawful interception" products and services, it is in the surveillance business. If it spies on its customers for governments by secretly handing over their communications data, it is in the surveillance business. If it exhibits at ISS World (aka the wiretappers ball), it is in the surveillance business.

Finally, Kathleen also raises the important issue of government CAs. These should also be addressed, but we shouldn't block action on surveillance companies because we haven't figured out how to deal with governments.

[Eddy Nigg]

On 03/13/2013 07:38 PM, From ch...@soghoian.net:

> This will likely mean that telecommunications carriers will not be able to be in the certificate business.

This is actually a good point and there might be a conflict of
interest/requirements for such entities. It makes sense from my point of
view that being such a service provider might be more than problematic.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[Rob Stradling]

On 13/03/13 22:21, Eddy Nigg wrote:
> On 03/13/2013 07:38 PM, From ch...@soghoian.net:

>> This will likely mean that telecommunications carriers will not be
>> able to be in the certificate business.
>

> This is actually a good point and there might be a conflict of
> interest/requirements for such entities. It makes sense from my point of
> view that being such a service provider might be more than problematic.

Chris, Eddy, just to look at this same issue from another angle...

Verizon (a US telecoms company) acquired Cybertrust a few years ago. Is
it therefore your opinion that Mozilla should kick Cybertrust out of the
root store?

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Eddy Nigg]

On 03/14/2013 12:42 AM, From Rob Stradling:

> Verizon (a US telecoms company) acquired Cybertrust a few years ago.
> Is it therefore your opinion that Mozilla should kick Cybertrust out
> of the root store?

The same conflict of interest could potentially exist there too, I don't
know. I'm not saying that Verizon's CA does actively support whatever
laws the telephone business requires. But in principal, if such a
problem exist it doesn't matter really in which corner of the world.

[Moudrick M. Dadashov]

Pardon me, Irene Krohn, just wonder who needs this propaganda?

I'm personally interested in your today's "achievements" like your
perfectly organized corruption network across the Baltic region, the
network covering almost all state institutions that have more or less
impact on your profit machine.

I'm also interested to learn more about your spying project in Baltics -
TeliaSonera propaganda machine has been deliberately spreading
misleading information and it took us time to know the truth: your
spying system has had nothing to do with telco billing.
For those unfamiliar with the system: this is not a product sold by
TeliaSonera to a government as some of you realize. Under the political
leadership of TeliaSonera central committee in Stockholm the spying
system has been migrating from one hand to another by selling it from
one TeliaSonera controlled "independent business" to another one. The
investigators confirmed terabytes of spying data found in TeliaSonera
controlled premises. And guess what? The investigation ended with
nothing, the prosecutor said the data were collected without any
specific intention.. did I say TeliaSonera's corruption network is one
of the best?

I'm interested to know more about TeliaSonera's European scale project
where you after successfully bankrupting your competitor KPN/QWEST (aka
EUnet International), acquired their assets (fibre rings in Britain, the
Netherlands, Germany, France, a transatlantic fibre link, network
operations centres etc.) for less than one tenth of their actual value.

Please don't take this a curiosity sign, Mozilla's Root inclusion
program REQUIRES
(http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html)
that you publicly disclose information about your policies and ***
business practices *** and before we can talk about your *** business
practices *** I expect you to disclose us your organizational structure.

Just to remind you, TeliaSonera effectively controls tens, if not
hudreds, of "independent" entities in the region. I have no problem with
your ownership, nor I have any problems with the number of these
"independent" businesses. But I've a problem with what these businesses
do. Here is the short list: physical telecommunication lines, leased
lines, Internet backbone, DNS, CAs, Data center, web hosting, VoIP, IP
TV, - you see, the whole infrastructure under the single TeliaSonera
umbrella, oh, yes those are all "independent" entities.

Once again, TeliaSonera is NOT a business in the traditional sense, it
owns and controls an undisclosed infrastructure, therefore there is no
chance to understand your *** business practices *** unless we see your
organizational structure. Please provide more info.

Many thanks in advance.

M.D.

[Moudrick M. Dadashov]

[ch...@soghoian.net]

Several years ago, it was revealed that Verizon illegally shared its customers' data with the US National Security Agency. This wasn't "lawful interception" performed as a result of a valid order issued by the FISA court, but rather, was part of the warrantless wiretapping program authorized by President Bush after 9/11.

When sued by EFF and the ACLU (disclosure: my employer, although it happened long before I joined the ACLU), Verizon argued in court that the company had a 1st Amendment free speech right to deliver this data to the government.
See: http://arstechnica.com/tech-policy/2007/05/verizon-says-phone-record-disclosure-is-protected-free-speech/

Verizon has a documented track record in participating and voluntarily facilitating illegal surveillance performed at the nation-state level. We're not taking about one or two illegal wiretap, but a wholesale surveillance program that evaded the judicial system.

So yes, Verizon should not be permitted to be a CA.

However, I recognize that Cybertrust is a major CA used by a number of big websites, and so kicking them out of the CA store with no notice would seriously disrupt the web. Mozilla could give Cybertrust 1 year to either be spun off/sold to someone else, or be kicked out. That would also give Cybertrust's customers plenty of time to find another CA.

[Rob Stradling]

Chris, 2 further cases that spring to mind...

Entrust and Blue Coat share the same parent company (Thoma Bravo). Blue
Coat sell lawful interception kit. Would you therefore place Entrust in
the same boat as Cybertrust?

BT (a UK telecoms company) operates a public PKI service using
Subordinate CA certificates issued by Symantec. Do you think Mozilla
should do anything about this?

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Moudrick M. Dadashov]

On 3/14/2013 12:53 PM, Rob Stradling wrote:
> Chris, 2 further cases that spring to mind...
>
> Entrust and Blue Coat share the same parent company (Thoma Bravo).
> Blue Coat sell lawful interception kit. Would you therefore place
> Entrust in the same boat as Cybertrust?

does Thoma Bravo, like TeliaSonera, own/effectively control any network
infrastructure or at least significant part of its critical components?
How much their ownership structure is communication/internet sector
oriented?

>
> BT (a UK telecoms company) operates a public PKI service using
> Subordinate CA certificates issued by Symantec. Do you think Mozilla
> should do anything about this?

Clever solution and obviously quite different approach. I've never heard
BT expanding its PKI business to other countries like TeliaSonera.
TeliaSonera effectively controls an "independent pocket CA" in Estonia
and (unfortunately) Mozilla hasn't done anything with this. Do you know
how far TeliaSonera's has gone with its corruption business model here?

Thanks,
M.D.

>
> On 14/03/13 03:59, ch...@soghoian.net wrote:
>>

[Rob Stradling]

Hi Moudrick.

On 14/03/13 11:35, Moudrick M. Dadashov wrote:
> On 3/14/2013 12:53 PM, Rob Stradling wrote:
>> Chris, 2 further cases that spring to mind...
>>
>> Entrust and Blue Coat share the same parent company (Thoma Bravo).
>> Blue Coat sell lawful interception kit. Would you therefore place
>> Entrust in the same boat as Cybertrust?
> does Thoma Bravo, like TeliaSonera, own/effectively control any network
> infrastructure or at least significant part of its critical components?
> How much their ownership structure is communication/internet sector
> oriented?

I have no idea.

>> BT (a UK telecoms company) operates a public PKI service using
>> Subordinate CA certificates issued by Symantec. Do you think Mozilla
>> should do anything about this?
> Clever solution and obviously quite different approach. I've never heard
> BT expanding its PKI business to other countries like TeliaSonera.
> TeliaSonera effectively controls an "independent pocket CA" in Estonia
> and (unfortunately) Mozilla hasn't done anything with this. Do you know
> how far TeliaSonera's has gone with its corruption business model here?

I only know what I've read in this thread over the last few days.

> Thanks,
> M.D.
>
>>
>> On 14/03/13 03:59, ch...@soghoian.net wrote:
>>>

>>> _______________________________________________
>>> dev-security-policy mailing list
>>> dev-secur...@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
>>>
>>
>
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

[silv...@gmail.com]

Being a CA means that people should trust you and your certificates. There is no way ever that I will trust a telecom to become a CA. They assist the authorities in any country they operate in. In most they are obligated by law to give/store certain types of information. They are thus in a unique position of offering the means of secure end to end communication and the key to eavesdrop on those communications.

I'm sorry, they can't have both. They shouldn't.

I'm tired and sick of telecoms providing data lawfully or less so to governments and their agents. In my country (Romania) there are documented cases where the mobile operators would release sensitive data to the police or the information services without court orders (even if the law requires that court orders be issued). No way in Hell would I trust any of those telecoms' certificates should they wish to become CAs

Stick to shifting data Telia. If we can't trust you, you can't be a CA.

[Horne, Rob]

I'm not agreeing or disagreeing with the inclusion request but thought others might like to see the discussion is making the news:

http://www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera/

Regards, Rob

[jaku...@gmail.com]

Has CNNIC paid more to Mozilla? And how about Comodo? How about you simply start using system certificate store like IE and FF and drop this BS once and for all? Long overdue!

[Erwann Abalea]

Le jeudi 18 avril 2013 11:37:42 UTC+2, jaku...@gmail.com a écrit :
> Has CNNIC paid more to Mozilla? And how about Comodo?

Nothing is paid to Mozilla. The only prices are for infrastructure, salaries, audits, software, ...

> How about you simply start using system certificate store like IE and FF and drop this BS once and for all? Long overdue!

What are you talking about? This is precisely for integration into FF (FF=Firefox, Mozilla, etc).

Mozilla CA program is public, you're invited to participate. Just be constructive.

[jaku...@gmail.com]

Dne čtvrtek, 18. dubna 2013 14:18:58 UTC+2 Erwann Abalea napsal(a):

> What are you talking about? This is precisely for integration into FF (FF=Firefox, Mozilla, etc).

What I am talking about? That you should use *system* certificates store, and drop all the Firefox certificates management crap altogether. Do coding and stop doing politics. Including and trusting (or not) CAs should be left as a task for sysadmins and OS/distribution vendors. No, it is not doable currently with your products, because any centralized management is missing (like, GPO templates.) All the time spend on debating whether Honest Achmed certs (https://bugzilla.mozilla.org/show_bug.cgi?id=647959) should be included or not would *way* better be spent on fixing this ages-lasting missing feature.

But wait - oh yeah, you won't do that, because you love the politics and getting paid by the "trusted" CAs, such as CNNIC, or Comodo, or TeliaSonera, or similar.

(In case it's still not clear, the FF there was a "thinko" (as in "typo), I of course meant IE and *Chrome*, not FF.) BS'o'meter maxed out, sorry.

[Ryan Sleevi]

On Thu, April 18, 2013 7:57 am, jaku...@gmail.com wrote:
> Dne Ä tvrtek, 18. dubna 2013 14:18:58 UTC+2 Erwann Abalea napsal(a):

Hi Jakub,

I would also encourage you to be more constructive in tone and content.

I suspect you're not aware of the fact that the vast majority (at this
point, nearly all) Linux distros explicitly rely on the Mozilla root
program and its public, open, and transparent nature as a basis for making
decisions about inclusions.

Further, while you use Chrome as an example, Chrome on iOS, Linux, and
ChromeOS also make explicit use of the Mozilla root program.

Were it not for the high quality, public, and transparent nature of these
root programs, you would find each vendor (including of OSes such as
Firefox OS and ChromeOS) would individually need to make these decisions -
and in a way that may not be transparent or public.

I don't know why you keep suggesting there is payment involved. Mozilla's
root program was one of the first to actually be payment free - prior to
that, most root stores involved fees being paid to the program operator,
the exact situation you're incorrectly and misleadingly implying happens
with Mozilla.

Again, I would encourage you to take a look at how best to be constructive
in these discussions. It's perfectly fine to disagree, and to make that
known, but let's not go off onto random and factually inaccurate attacks.

Regards,

[jaku...@gmail.com]

"High quality, public, and transparent nature"? OH RLY? What's been the "community feedback" wrt CNNIC? What's been the outcome? Made my day, really.

"you would find each vendor (including of OSes such as Firefox OS and ChromeOS) would individually need to make these decisions"

Absolutely no harm done. Once again, plop whatever you find fit into *system* certificates store and let users/admin manage that. *Centrally*. Not deal with each damned certificate in every browser/mail client/whatever else they have installed. Not sustainable at all. Per-application CAs management is absolutely obnoxious waste of time.

[gregm...@rogers.com]

With all due respect, I think you are missing the point in several different ways Jaku.

First, if I am reading your posts write, you have an issue with Mozilla running it's own certificate database, but you seem to think a solution to this is to sell the certificates instead of consider the entities on moral grounds, which would mean that Mozilla would continue running it's own database.

Second, you seem to view Mozilla as only a company that makes the firefox browser, Mozilla is much more then that, one thing that you might find interesting is that Mozilla is in the process of making it's own OS, which would make them a group you view should manage certificates if I am understanding you correctly.

Third, you seem to think that letting users/admins manage the certificate system would make it more central. I believe you are poorly mistaken, as Mr Sleevi has pointed out, many (almost all) linux OS's use Mozilla's certificate database, and stopping this program would result in a much more fractured certificate system as all these linux distro's try to find their own system.

(Some of the) community feedback for the CNNIC certificate is available here: https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.security.policy/F7471-CzPow[1-25-false] easily findable by a google search, I am not familiar enough with the case to be able to reliably comment on what has changed since/because of the discussion, however any argument that could be based on how Mozilla acted in those cases is inherinetly flawed, just because the wrong thing was done in the past does not mean it should continue to be done (though those past decisions should possibly be reviewed if someone can show good reason to do so).

Greg

[teliasone...@teliasonera.com]

TeliaSonera takes the concerns that have been raised in this discussion very seriously, so we have decided to take the following actions:

1. TeliaSonera will clarify in TeliaSonera Server Certificate CPS what is its geographical Business area:
TeliaSonera will issue server certificates only to organizations that are registered in the European Economic Area. The European Economic Area (EEA) comprises the countries of the European Union (EU), plus Iceland, Liechtenstein and Norway.
2. TeliaSonera will publicly disclose on TeliaSonera Web Pages how TeliaSonera CA is located within TeliaSonera’s Organization:
The TeliaSonera CA business is a part of the Business Area Broadband Services, which comprises operations in Sweden, Finland, Norway, Denmark, Lithuania, Latvia, Estonia, and international carrier. It is separated from TeliaSonera’s operations outside of the Nordic and Baltics and is completely separated from TeliaSonera’s Business Area Eurasia. TeliaSonera’s Business Area Eurasia comprises operations in Central Asia and Eastern Europe (e.g. Azerbaijan, Georgia, Kazakhstan, Moldova, Russia, Tajikistan, Turkey, Uzbekistan, Nepal). TeliaSonera International Carrier is TeliaSonera’s fiber-optic backbone business; it is an independent company which organizationally resides within the Business Area Broadband Services. For more information see the About us page on www.teliasonera.com.

Salomon Bekele
Head of External Communications

[Kathleen Wilson]

On 5/14/13 6:52 AM, teliasone...@teliasonera.com wrote:
> TeliaSonera takes the concerns that have been raised in this discussion
> very seriously, so we have decided to take the following actions:
>
> 1. TeliaSonera will clarify in TeliaSonera Server Certificate CPS what
> is its geographical Business area:
> TeliaSonera will issue server certificates only to organizations that are
> registered in the European Economic Area. The European Economic
> Area (EEA) comprises the countries of the European Union (EU), plus
> Iceland, Liechtenstein and Norway.
> 2. TeliaSonera will publicly disclose on TeliaSonera Web Pages how

> TeliaSonera CA is located within TeliaSonera�s Organization:

> The TeliaSonera CA business is a part of the Business Area Broadband
> Services, which comprises operations in Sweden, Finland, Norway, Denmark,
> Lithuania, Latvia, Estonia, and international carrier. It is separated from

> TeliaSonera�s operations outside of the Nordic and Baltics and is completely
> separated from TeliaSonera�s Business Area Eurasia.
> TeliaSonera�s Business Area Eurasia comprises operations in Central Asia

> and Eastern Europe (e.g. Azerbaijan, Georgia, Kazakhstan, Moldova, Russia,
> Tajikistan, Turkey, Uzbekistan, Nepal).

> TeliaSonera International Carrier is TeliaSonera�s fiber-optic backbone business;

> it is an independent company which organizationally resides within the Business
> Area Broadband Services. For more information see the About us page on
> www.teliasonera.com.

All,

I believe that the clarification of the TeliaSonera CA geographical
business area in their CPS is a reasonable response to the concerns that
have been raised in this discussion. TeliaSonera has been a CA in good
standing in Mozilla's program for several years, and no evidence has
been found to indicate mis-issuance of certificates in their CA hierarchy.

For a diagram of the organization as described, see:
http://www.teliasonera.com/en/about-us/organisation/

Action for TeliaSonera: Please let me know when the CPS has been updated
as specified above.

Thanks,
Kathleen

[ch...@soghoian.net]

This 'clarification' by TeliaSonera doesn't change the fact that the company knowingly facilitates the unrestricted government surveillance of its customers. That it is a different part of the company doesn't give me much peace of mind.

TeliaSonera permitted several governments with awful human rights records to install black box surveillance gear onto its network. Those black boxes were then used to intercept the communications of TeliaSonera's customers.

TeliaSonera has told us that it only provides the government with unfettered surveillance access to its network when forced to by law, but that likely isn't much comfort to users in Azerbaijan, Belarus, and Uzbekistan.

When the company allowed black box surveillance devices to be placed onto its network, it gave up its ability to act as a broker of trust on the Internet. That the company hasn't specifically misused its CA granting powers doesn't matter. The company has shown a total disregard to end-user privacy.

The appropriate action here should be to pick some reasonable date in the future, say 18 months, and announce that the trust bits for TeliaSonera's certificates will be deactivated within Firefox on that date. That will give the company's customers more than enough time to migrate away to a CA that is actually committed to trust and security.

[Kathleen Wilson]

> The appropriate action here should be to pick some reasonable date in the
> future, say 18 months, and announce that the trust bits for TeliaSonera's
> certificates will be deactivated within Firefox on that date. That will give
> the company's customers more than enough time to migrate away to a CA
> that is actually committed to trust and security.

I empathize with what you are saying. However I propose a slightly
different approach.

Maybe there is a way we can draw a line to say that certain types of
actions cannot be taken by the same company/organization that includes
the operation of a publicly trusted CA. If we can figure out how to draw
the line and how to express this in policy, then we could add it to
Mozilla's CA Certificate Policy and give CAs a certain amount of time to
become compliant with it. (Maybe some CAs will decide to spin off their
CA business in order to comply.) I will greatly appreciate suggestions
on how to draft such policy. Let's have that discussion in a separate
thread.

As for setting a date in the future for when a root certificate will be
removed, I have always assumed that to be an option, but perhaps we can
make it more clear in policy. Let's also have a separate discussion
about adding such text to Mozilla's CA Certificate Enforcement Policy.

I have added a section to the following wiki page to track this:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3

In the meantime, I would like to move forward with inclusion of
TeliaSonera's renewed root certificate after they update their CPS
documentation to limit the geographical areas in which they may issue
publicly trusted certificates.

Thanks,
Kathleen

[Moudrick M. Dadashov]

Hi Kathleen,

On 5/30/2013 12:30 AM, Kathleen Wilson wrote:
>> The appropriate action here should be to pick some reasonable date in
>> the
>> future, say 18 months, and announce that the trust bits for
>> TeliaSonera's
>> certificates will be deactivated within Firefox on that date. That
>> will give
>> the company's customers more than enough time to migrate away to a CA
>> that is actually committed to trust and security.
>
>

> I empathize with what you are saying. However I propose a slightly
> different approach.
>
> Maybe there is a way we can draw a line to say that certain types of
> actions cannot be taken by the same company/organization that includes
> the operation of a publicly trusted CA. If we can figure out how to
> draw the line and how to express this in policy, then we could add it
> to Mozilla's CA Certificate Policy and give CAs a certain amount of
> time to become compliant with it. (Maybe some CAs will decide to spin
> off their CA business in order to comply.) I will greatly appreciate
> suggestions on how to draft such policy. Let's have that discussion in
> a separate thread.
>
> As for setting a date in the future for when a root certificate will
> be removed, I have always assumed that to be an option, but perhaps we
> can make it more clear in policy. Let's also have a separate
> discussion about adding such text to Mozilla's CA Certificate
> Enforcement Policy.
>
> I have added a section to the following wiki page to track this:
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> In the meantime, I would like to move forward with inclusion of
> TeliaSonera's renewed root certificate after they update their CPS
> documentation to limit the geographical areas in which they may issue
> publicly trusted certificates.
>

I'm strongly against including my country in TeliaSonera covered area,
unless the company clarifies the issues specifically relevant to my
country. Just a short reminder from my previous emails on this thread:

1. The spying system: ACB/ITSS.
TeliaSonera must communicate and assist the law enforcement institutions
to finish their interrupted investigation.

2. TeliaSonera corruption business practices.
Disclose information about the business entities under direct or
indirect (through their daughter companies) control of TeliaSonera.
Disclose TeliaSonera business practices in coordinating [corruption]
activities of these TeliaSonera controlled entities: UAB Omnitel and AS
Sertifitseerimiskeskus.

Thanks,
M.D.

> Thanks,
> Kathleen

[Mats Palmgren]

On 05/29/2013 09:30 PM, Kathleen Wilson wrote:
> In the meantime, I would like to move forward with inclusion of
> TeliaSonera's renewed root certificate after they update their CPS
> documentation to limit the geographical areas in which they may issue
> publicly trusted certificates.

TeliaSonera facilitates unlimited mass-surveillance in several
dictatorship countries, where people have been imprisoned, tortured,
or killed because of their political views. [1]

TeliaSonera has admitted to this publicly on several occasions.
They also say they will continue that part of its business.

Even *if* their CA business hasn't been involved in the surveillance
I still think that accepting this company as a CA is an endorsement
of trust for the entire company. Saying that they have "good standing"
in its role as CA while ignoring that other parts of the company
profits from surveillance that leads to violations of human rights
is *not* in the spirit of the Mozilla Manifesto, IMHO. [2]

TeliaSonera does not deserve our trust. I am strongly against
including them as CA for any geographical area.

Sincerely,
Mats Palmgren
(A Swede who has sadly watched this scandal unfold in local media
for some time now, and I assure you, it's even uglier than you
might think.)

[1]
http://vimeo.com/41248885

[2]
http://www.mozilla.org/en-US/about/manifesto/

[Stephen Schultze]

On Wednesday, May 29, 2013 5:30:35 PM UTC-4, Kathleen Wilson wrote:
> Maybe there is a way we can draw a line to say that certain types of
> actions cannot be taken by the same company/organization that includes
> the operation of a publicly trusted CA. If we can figure out how to draw
> the line and how to express this in policy, then we could add it to
> Mozilla's CA Certificate Policy and give CAs a certain amount of time to
> become compliant with it. (Maybe some CAs will decide to spin off their
> CA business in order to comply.) I will greatly appreciate suggestions
> on how to draft such policy. Let's have that discussion in a separate
> thread.

Nonsense.

http://www.eurasiareview.com/26052013-georgia-interior-ministry-called-to-remove-black-box-spy-devices-from-telecom-companies/

Take a stand.

[Kathleen Wilson]

On 5/29/13 3:06 PM, Moudrick M. Dadashov wrote:
> I'm strongly against including my country in TeliaSonera covered area,
> unless the company clarifies the issues specifically relevant to my
> country. Just a short reminder from my previous emails on this thread:
>
> 1. The spying system: ACB/ITSS.
> TeliaSonera must communicate and assist the law enforcement institutions
> to finish their interrupted investigation.
>
> 2. TeliaSonera corruption business practices.
> Disclose information about the business entities under direct or
> indirect (through their daughter companies) control of TeliaSonera.
> Disclose TeliaSonera business practices in coordinating [corruption]
> activities of these TeliaSonera controlled entities: UAB Omnitel and AS
> Sertifitseerimiskeskus.
>

Please help me understand...

How is the TeliaSonera expose different from the current expose in the
US about PRISM and also other current expose about Verizon?

PRISM: http://gizmodo.com/what-is-prism-511875267
And the denials:
http://googleblog.blogspot.com/2013/06/what.html
http://techcrunch.com/2013/06/06/google-facebook-apple-deny-participation-in-nsa-prism-program/

Verizon:
http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order


It seems like the main difference is the countries where TeliaSonera is
known to be operating telecom services. Is that it? Or am I missing
something? Please explain.

Thanks,
Kathleen

[Moudrick M. Dadashov]

On 6/8/2013 6:29 AM, Kathleen Wilson wrote:
> On 5/29/13 3:06 PM, Moudrick M. Dadashov wrote:

>> I'm strongly against including my country in TeliaSonera covered area,
>> unless the company clarifies the issues specifically relevant to my
>> country. Just a short reminder from my previous emails on this thread:
>>
>> 1. The spying system: ACB/ITSS.
>> TeliaSonera must communicate and assist the law enforcement institutions
>> to finish their interrupted investigation.
>>
>> 2. TeliaSonera corruption business practices.
>> Disclose information about the business entities under direct or
>> indirect (through their daughter companies) control of TeliaSonera.
>> Disclose TeliaSonera business practices in coordinating [corruption]
>> activities of these TeliaSonera controlled entities: UAB Omnitel and AS
>> Sertifitseerimiskeskus.
>>
>
>

> Please help me understand...
>
> How is the TeliaSonera expose different from the current expose in the
> US about PRISM and also other current expose about Verizon?
>
> PRISM: http://gizmodo.com/what-is-prism-511875267
> And the denials:
> http://googleblog.blogspot.com/2013/06/what.html
> http://techcrunch.com/2013/06/06/google-facebook-apple-deny-participation-in-nsa-prism-program/
>
>
> Verizon:
> http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order
>
>
> It seems like the main difference is the countries where TeliaSonera
> is known to be operating telecom services. Is that it? Or am I missing
> something? Please explain.
>

1. PRISM is a **government** sanctioned/initiated/controlled project, at
least its run "under the government umbrella".
2. Verizon looks like one of "legally forced" participants.
3. Verizon might not have sufficiently diversified infrastructure to
support overall PRISM functionality.
4. ACB/ITSS has been totally a TeliaSonera
sanctioned/initiated/controlled project.
5. No government ever forced TeliaSonera and its outfits to operate such
a spying system.
6. TeliaSonera effectively controls a sufficiently diversified
infrastructure (physical lines, access nodes, data center/hosting
resources, backbone level Internet controls, DNS etc.) to support this
kind of spying systems. (something that Root inclusion policy should
take care about!).
7. TeliaSonera effectively controls a huge propaganda machine capable to
form any "favorable dominant opinion".

That is why ACB/ITSS investigation ended with nothing.

Even these days, despite the public promises here, TeliaSonera actually
continues its mafia style business practices, so the best instrument to
build trust and confidence is real work, not promises.

Mozilla, please help TeliaSonera.

[Kathleen Wilson]

On 6/8/13 6:05 AM, Moudrick M. Dadashov wrote:
> On 6/8/2013 6:29 AM, Kathleen Wilson wrote:
>> On 5/29/13 3:06 PM, Moudrick M. Dadashov wrote:
>>> I'm strongly against including my country in TeliaSonera covered area,
>>> unless the company clarifies the issues specifically relevant to my
>>> country. Just a short reminder from my previous emails on this thread:
>>>
>>> 1. The spying system: ACB/ITSS.
>>> TeliaSonera must communicate and assist the law enforcement institutions
>>> to finish their interrupted investigation.

I looked into ACB/ITSS and found claims dating back to 2007 that
TeliaSonera was using this in Costa Rica, Lithuania and other countries.
However, I was not able to find a reliable source to backup these claims.

>>>
>>> 2. TeliaSonera corruption business practices.
>>> Disclose information about the business entities under direct or
>>> indirect (through their daughter companies) control of TeliaSonera.
>>> Disclose TeliaSonera business practices in coordinating [corruption]
>>> activities of these TeliaSonera controlled entities: UAB Omnitel and AS
>>> Sertifitseerimiskeskus.

I looked into this and found that two of TeliaSonera's affiliates have
invested in Sertifitseerimiskeskus (SK). However, SK's CA business and
the Sonera/TeliaSonera CA business are completely separate from each
other in regards to CA and business operations, so we (Mozilla) need to
treat them as separate CAs -- evaluate them separately based on their
own CP/CPS/audits, etc.

Thanks. These are things to consider in updating Mozilla's CA
Certificate Policy, so I've added notes about them here:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3

Updates that we add to Mozilla's CA Certificate Policy apply to all of
the CAs in Mozilla's program. I do not believe that including a renewed
root for an already-included CA changes this.

Thanks,
Kathleen

[Moudrick M. Dadashov]

On 6/13/2013 8:22 PM, Kathleen Wilson wrote:
> On 6/8/13 6:05 AM, Moudrick M. Dadashov wrote:

>> On 6/8/2013 6:29 AM, Kathleen Wilson wrote:
>>> On 5/29/13 3:06 PM, Moudrick M. Dadashov wrote:
>>>> I'm strongly against including my country in TeliaSonera covered area,
>>>> unless the company clarifies the issues specifically relevant to my
>>>> country. Just a short reminder from my previous emails on this thread:
>>>>
>>>> 1. The spying system: ACB/ITSS.
>>>> TeliaSonera must communicate and assist the law enforcement
>>>> institutions
>>>> to finish their interrupted investigation.
>
>

> I looked into ACB/ITSS and found claims dating back to 2007 that
> TeliaSonera was using this in Costa Rica, Lithuania and other
> countries. However, I was not able to find a reliable source to backup
> these claims.
>
>

Unless you decide to launch your own investigation, in my previous email
I suggested TeliaSonera to help the law enforcement institutions to
finish their job. That would be a good sign that TeliaSonera is
seriously moving away from its long lasting dark history.

>
>>>>
>>>> 2. TeliaSonera corruption business practices.
>>>> Disclose information about the business entities under direct or
>>>> indirect (through their daughter companies) control of TeliaSonera.
>>>> Disclose TeliaSonera business practices in coordinating [corruption]
>>>> activities of these TeliaSonera controlled entities: UAB Omnitel
>>>> and AS
>>>> Sertifitseerimiskeskus.
>
>

> I looked into this and found that two of TeliaSonera's affiliates have
> invested in Sertifitseerimiskeskus (SK). However, SK's CA business and
> the Sonera/TeliaSonera CA business are completely separate from each
> other in regards to CA and business operations, so we (Mozilla) need
> to treat them as separate CAs -- evaluate them separately based on
> their own CP/CPS/audits, etc.
>

That's going to be a big mistake..
These pseudo separate business operations have been perfectly
managed/coordinated by TeliaSonera. Unfortunately CP/CPS don't cover
business practices, they don't disclose the infrastructures like this,
CP/CPS won't show how much tax payers money was stolen in favor of a
pseudo separate business controlled by TeliaSonera. In this respect, I'm
talking for my country, again, as mentioned earlier, you can run your
own investigation for the interests of US investors, just start with
TeliaSonera + KPNQwest.

This case is about corruption that is a business model where no
corruption means no business..
No CP/CPS is able to resolve this dilemma, the only hope is for the
Swedish government - the owner of the "private business" with tens if
properly specialized "separate businesses".

Thanks,
M.D.

> Thanks. These are things to consider in updating Mozilla's CA
> Certificate Policy, so I've added notes about them here:
> https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
>
> Updates that we add to Mozilla's CA Certificate Policy apply to all of
> the CAs in Mozilla's program. I do not believe that including a
> renewed root for an already-included CA changes this.
>

[Kathleen Wilson]

On 6/13/13 4:07 PM, Moudrick M. Dadashov wrote:
> On 6/13/2013 8:22 PM, Kathleen Wilson wrote:
>> On 6/8/13 6:05 AM, Moudrick M. Dadashov wrote:
>>> On 6/8/2013 6:29 AM, Kathleen Wilson wrote:
>>>> On 5/29/13 3:06 PM, Moudrick M. Dadashov wrote:
>>>>> I'm strongly against including my country in TeliaSonera covered area,
>>>>> unless the company clarifies the issues specifically relevant to my
>>>>> country. Just a short reminder from my previous emails on this thread:
>>>>>
>>>>> 1. The spying system: ACB/ITSS.
>>>>> TeliaSonera must communicate and assist the law enforcement
>>>>> institutions
>>>>> to finish their interrupted investigation.
>>
>>
>> I looked into ACB/ITSS and found claims dating back to 2007 that
>> TeliaSonera was using this in Costa Rica, Lithuania and other
>> countries. However, I was not able to find a reliable source to backup
>> these claims.
>>
>>
> Unless you decide to launch your own investigation, in my previous email
> I suggested TeliaSonera to help the law enforcement institutions to
> finish their job. That would be a good sign that TeliaSonera is
> seriously moving away from its long lasting dark history.

It is up to the law enforcement to make that happen. I will not be doing
any further investigation into this.

Business model and business corruption is the jurisdiction of the
country's government and law enforcement agencies; not Mozilla CA
Certificate Policy.

After all this time and delay, I still do not have evidence of the
TeliaSonera CA not complying with Mozilla's CA Certificate Policy.
Therefore, I plan to close this discussion and approve inclusion of this
renewed root certificate.

Thanks for all of your input into this discussion.

Kathleen

[Peter Kurrasch]

Kathleen--

I don't agree that we should accept TeliaSonera's request for
inclusion...but first I need something clarified. I've looked through
my Firefox cert manager trying to find the TeliaSonera root certs
already in use. What I find is "Sonera Class1 CA" and "Sonera Class2
CA" but I don't see "TeliaSonera Root CA v1". Have I missed something
somewhere? From what I can tell this is a request to /expand/
TeliaSonera's involvement with the Mozilla community and is not just
replacing an existing cert...???

Secondary to that, I don't think we can accept the explanation of "these
are separate business units". The fact of the matter is that
corporations are not trustworthy--and proof of that lies in the laws
that exist to govern, regulate, audit, and otherwise control them.
While the TeliaSonera spokespeople say that the business units are
separate we really need something better than words.

I took a look at the TeliaSonera web site to try and understand for
myself what the different units are and how separate they might actually
be. I will admit I could not figure that out--it's a complicated
mish-mash of service offerings spanning different groups of countries.
If we had greater insight into these operations in the form of an audit
procedure that could be conducted by a trusted auditing agent I would be
less concerned, but I know of no such procedure nor any such agent (but
I'd like to know if there is such a thing).

And let's be honest: the TeliaSonera name/brand has at least a black eye
and at worst a cancerous tumor. The reports of "bad acts" that violate
the trust bestowed upon TeliaSonera are wide-spread and appear widely
accepted. Both points are important I think and distinguishes this case
from other cases which may be in the form of mere allegations or
hear-say. And the fact that the breach of trust has such serious
consequences in terms of the oppressive regimes that benefited and the
liberties and freedoms that were lost is all the more damning.

A final point I will make here has to do with the Mozilla community at
large. If you were to show the reports of abuse to anyone in the
community (software developers, users of Firefox, participants in this
forum, Mozilla employees, and so forth) I don't think you would find a
single person who would say "including a new certificate from
TeliaSonera sounds like a good idea and I would like to use them as a
root CA for my own certificates". And, I think this is the bottom line
for our discussion here.


So, to summarize what I've said in this email and what has come up over
the past 3 months of discussion, the request to include the "TeliaSonera
Root CA v1" should be denied for the following reasons:

1) widespread reports (which are widely accepted) of abuse of trust
by the TeliaSonera corporation and subsidiaries [if you'd like specific
links I will put a list together of what I think are the better examples]
2) abuse of trust is sufficient grounds, but facilitating government
and/or corporate surveillance for nefarious purposes is especially troubling
3) this request amounts to seeking to expand TeliaSonera's
involvement, and such expansion is troubling in light of the reports of
abuse of trust
4) denying this request applies to this specific certificate
only--the other "Sonera" certs would be allowed to remain
5) TeliaSonera is not being banned from participating in the program,
so this is not a death knell to the company
6) we have other CA providers, so this action won't "break the internet"
7) we should respect and reward those CA's that do not abuse the
trust by carefully scrutinizing those CA's that do
8) this judgment is objective based on the actions of TeliaSonera and
is not subjective to TeliaSonera itself or the countries in which it has
operations [or, to put it another way, TeliaSonera behaved badly and
other companies that also behaved badly could very well find themselves
in this same situation!]
9) Mozilla has the right and obligation to stray from strict
interpretation of the certificate policy on a case-by-case basis, and
/for this case/ such a deviation is warranted and justified
10) TeliaSonera's status could be considered "probationary": further
bad acts will result in removal of the remaining certs; a demonstration
of "good acts" for some period of time could result in reconsideration
of this or other root certs [obviously this item needs further discussion!]

To be sure, some of those points could very well apply to other CA's
that participate in the CA root inclusion program, and I imagine we will
be discussing them over the coming months in light of the NSA
surveillance programs. (If anything, I think the NSA reports emphasize
our need to deny this request, further scrutinize others, and generally
codify accountability!)

So, this may or may not be a satisfying argument for a U.S. court of law
but, as I emphasize in #9, for this specific case that's being presented
here and now, I see no other conclusion that we, in good conscience, can
draw.

Thank you.

[Rob Stradling]

On 17/06/13 22:31, Peter Kurrasch wrote:
<snip>

> ...but first I need something clarified. I've looked through
> my Firefox cert manager trying to find the TeliaSonera root certs
> already in use. What I find is "Sonera Class1 CA" and "Sonera Class2
> CA" but I don't see "TeliaSonera Root CA v1". Have I missed something
> somewhere? From what I can tell this is a request to /expand/
> TeliaSonera's involvement with the Mozilla community and is not just
> replacing an existing cert...???

Peter, take a look at "Owner" column in Kathleen's spreadsheet:
http://tinyurl.com/MozillaBuiltInCAs

The "Sonera Class1 CA" and "Sonera Class2 CA" Roots do indeed belong to
TeliaSonera.

[Peter Kurrasch]

On 06.18.2013 2:37 AM, Rob Stradling wrote:
> On 17/06/13 22:31, Peter Kurrasch wrote:
> <snip>
>> ...but first I need something clarified. I've looked through
>> my Firefox cert manager trying to find the TeliaSonera root certs
>> already in use. What I find is "Sonera Class1 CA" and "Sonera Class2
>> CA" but I don't see "TeliaSonera Root CA v1". Have I missed something
>> somewhere? From what I can tell this is a request to /expand/
>> TeliaSonera's involvement with the Mozilla community and is not just
>> replacing an existing cert...???
>
> Peter, take a look at "Owner" column in Kathleen's spreadsheet:
> http://tinyurl.com/MozillaBuiltInCAs
>
> The "Sonera Class1 CA" and "Sonera Class2 CA" Roots do indeed belong
> to TeliaSonera.

I dd see the spreadsheet but was hoping to find CN="TeliaSonera Root CA
v1" and didn't find it there. That being the case, I think my statement
is correct about TeliaSonera wanting to go from 2 roots in the store to
3 and that the request is not swapping one of those certs out for a new one.

Thanks for the feedback--and for reading my email!

Peter.

[teliasone...@teliasonera.com]

TeliaSonera does not agree with the posted allegations, we have not committed bad acts and have not abused trust. For more information visit: www.teliasonera.com and read our communications on the allegations directed towards us.
There have been media reports in which TeliaSonera is used as a tool to drive home the point that some governments allegedly use the tools for monitoring telecommunications, that all countries reserve for national security, in a negative way. TeliaSonera abides by the same laws and regulations as all other operators. We believe that telecommunications is a force for good. Together with a group of other international telecom companies TeliaSonera formed the Industry Dialogue 2011 to discuss freedom of expression and privacy rights in the sector, in the context of the UN Guiding Principles on Business and Human Rights. Together we are stronger.

Regarding telecommunications operator’s ability to be a CA, the same rules should apply for TeliaSonera as for all operators. This is a challenge for the whole industry, not a TeliaSonera specific issue.
TeliaSonera’ s CA business is separated from our telecommunications operator business organization wise, and is not under any influence of the rules that apply to our operator business.
It is a misconception that we are expanding our CA business. We want to replace our existing Sonera roots with a new TeliaSonera root. However we need to keep the old roots during migration. We will have the same business in the same areas as before. We are also restricting our CA business to Europe. TeliaSonera CA’s has a long clean history.

Salomon Bekele
Head of External Communications

TeliaSonera Group

[Kathleen Wilson]

Re-posting this for those of you whose news readers didn't pick it up.

On Monday, June 24, 2013 6:36:52 AM UTC-7, teliasone...@teliasonera.com
wrote:

> Salomon Bekele
> Head of External Communications

> TeliaSonera Group

[Mats Palmgren]

On 06/24/2013 10:47 PM, Kathleen Wilson wrote:
> Re-posting this for those of you whose news readers didn't pick it up.
>
> On Monday, June 24, 2013 6:36:52 AM UTC-7, teliasone...@teliasonera.com
> wrote:
> > TeliaSonera does not agree with the posted allegations,
> > we have not committed bad acts and have not abused trust.

TeliaSonera facilitates unlimited mass-surveillance in several
dictatorship countries, where people have been imprisoned, tortured,
or killed because of their political views.

http://vimeo.com/41248885

> > For more information visit: www.teliasonera.com and read
> > our communications on the allegations directed towards us.

I can't find it. Please provide the exact URL(s) where the
allegations made in the video above are addressed.

As far as I know, none of the allegations has been refuted.
In fact, the official TeliaSonera response "we're just following
the law in the countries that we operate" has been repeated on
multiple occasions in news media.

> > There have been media reports in which TeliaSonera is used
> > as a tool to drive home the point that some governments
> > allegedly use the tools for monitoring telecommunications,
> > that all countries reserve for national security, in a
> > negative way.

Nonsense. TeliaSonera has gone far beyond what's normal in
protecting national security. Citizens that protest against the
oppression by their government isn't a national security concern
at all. That's just what the dictatorship says to legitimize its
actions. TeliaSonera's actions has essentially made it a part of
the security forces in these countries, thereby enabling the
oppression to continue. Through the SORM system, the security
forces have full access to all data, in realtime, remotely.
SORM is the primary tool in the continued oppression.

> > TeliaSonera abides by the same laws and
> > regulations as all other operators.

> > Regarding telecommunications operator’s ability to be a CA,
> > the same rules should apply for TeliaSonera as for all operators.
> > This is a challenge for the whole industry, not a TeliaSonera
> > specific issue.

Kathleen, are any other telecom operators that are doing business
in these dictatorship countries in the Mozilla root program?
If so, we should remove them too if they have been participating in
the mass-surveillance.

> > TeliaSonera’ s CA business is separated from our telecommunications
> > operator business organization wise, and is not under any influence
> > of the rules that apply to our operator business.

Being a CA is all about trust. Saying that the human rights violations
are facilitated by a different business unit (Eurasia) doesn't really
help. Both units are under the influence of the same leadership.
A leadership that has demonstrated that it's oblivious to the human
rights violations in these countries as long as it's good for business.

That leadership could also use its CA business to do bad things if they
think it's good for business.

I would also like to point out the PR risk for Mozilla in endorsing
a morally corrupt company like TeliaSonera. Their grave wrongdoings
smear our reputation.
https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/

> > Salomon Bekele
> > Head of External Communications
> > TeliaSonera Group

Mats Palmgren,
(Mozilla developer, but the views expressed above are my personal views)

[Mats Palmgren]

On 06/24/2013 10:47 PM, Kathleen Wilson wrote:

> Re-posting this for those of you whose news readers didn't pick it up.
>
> On Monday, June 24, 2013 6:36:52 AM UTC-7, teliasone...@teliasonera.com
> wrote:
> > TeliaSonera does not agree with the posted allegations,
> > we have not committed bad acts and have not abused trust.

TeliaSonera facilitates unlimited mass-surveillance in several
dictatorship countries, where people have been imprisoned, tortured,
or killed because of their political views.
http://vimeo.com/41248885

> > For more information visit: www.teliasonera.com and read
> > our communications on the allegations directed towards us.

I can't find it. Please provide the exact URL(s) where the
allegations made in the video above are addressed.

As far as I know, none of the allegations has been refuted.
In fact, the official TeliaSonera response "we're just following
the law in the countries that we operate" has been repeated on
multiple occasions in news media.

> > There have been media reports in which TeliaSonera is used
> > as a tool to drive home the point that some governments
> > allegedly use the tools for monitoring telecommunications,
> > that all countries reserve for national security, in a
> > negative way.

Nonsense. TeliaSonera has gone far beyond what's normal in
protecting national security. Citizens that protest against the
oppression by their government isn't a national security concern
at all. That's just what the dictatorship says to legitimize its
actions. TeliaSonera's actions has essentially made it a part of
the security forces in these countries, thereby enabling the
oppression to continue. Through the SORM system, the security
forces have full access to all data, in realtime, remotely.
SORM is the primary tool in the continued oppression.

> > TeliaSonera abides by the same laws and
> > regulations as all other operators.

> > Regarding telecommunications operator’s ability to be a CA,
> > the same rules should apply for TeliaSonera as for all operators.
> > This is a challenge for the whole industry, not a TeliaSonera
> > specific issue.

Kathleen, are any other telecom operators that are doing business
in these dictatorship countries in the Mozilla root program?
If so, we should remove them too if they have been participating in
the mass-surveillance.

> > TeliaSonera’ s CA business is separated from our telecommunications
> > operator business organization wise, and is not under any influence
> > of the rules that apply to our operator business.

Being a CA is all about trust. Saying that the human rights violations
are facilitated by a different business unit (Eurasia) doesn't really
help. Both units are under the influence of the same leadership.
A leadership that has demonstrated that it's oblivious to the human
rights violations in these countries as long as it's good for business.

That leadership could also use its CA business to do bad things if they
think it's good for business.

I would also like to point out the PR risk for Mozilla in endorsing
a morally corrupt company like TeliaSonera. Their grave wrongdoings
smear our reputation.
https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/

> > Salomon Bekele
> > Head of External Communications
> > TeliaSonera Group

[Peter Kurrasch]

On 06.25.2013 8:08 PM, Mats Palmgren wrote:
>> On Monday, June 24, 2013 6:36:52 AM UTC-7, teliasone...@teliasonera.com
>> wrote:
>> > TeliaSonera does not agree with the posted allegations,
>> > we have not committed bad acts and have not abused trust.
>

> TeliaSonera facilitates unlimited mass-surveillance in several
> dictatorship countries, where people have been imprisoned, tortured,
> or killed because of their political views.
> http://vimeo.com/41248885

I agree. There is no question that TeliaSonera facilitated the
surveillance of citizens in former Soviet republics. There really is no
way to conclude otherwise.

What I find so breathtakingly disingenuous, however, is that the
TeliaSonera response does not acknowledge the recent actions of the
company's board of directors. See reference [RFERL] for the full
details, but what has happened is that an independent review was
conducted regarding the business in Uzbekistan. Based on that report,
the board of directors itself decided the allegations were serious
enough that they forced the resignation of the CEO. Quoting from [RFERL]:

"Announcing his resignation, Nyberg said he was informed by the
TeliaSonera board that there would be 'significant changes to the
composition of the board' after it received the report, and that he
longer had the board's support."

Whether there is legal culpability and liability is an entirely
different question, but for Mozilla's purposes here I think a claim of
"bad acts and abuse of trust" is warranted and justifiable.


...snip...

> As far as I know, none of the allegations has been refuted.
> In fact, the official TeliaSonera response "we're just following
> the law in the countries that we operate" has been repeated on
> multiple occasions in news media.

I agree with Mats: the "just following the law" argument does appear
frequently in the media reports. I even found a TeliaSonera press
release [TS-FB] which announced it was blocking all access to Facebook
for citizens of Tajikistan. The press release says:

"We have a clear policy in place to ensure that all requests are
handled in a legally correct way...."

There is, of course, a big difference between being legally correct and
being an arbiter of trust. The [EFF] article makes this very point:

"Authoritarian regimes can interpret the law in ways that justify
unlimited spying on journalists and political dissidents. Or...the
laws on the books are not enforced—unrestricted surveillance is the
order of the day. If tech companies want to avoid being
repression’s little helper, they must know their customer and
refrain from cooperating with governments that they believe will use
their technology to facilitate human rights violations."

>> > There have been media reports in which TeliaSonera is used
>> > as a tool to drive home the point that some governments
>> > allegedly use the tools for monitoring telecommunications,
>> > that all countries reserve for national security, in a
>> > negative way.

Concerns about tools and government surveillance and national security
are all distractions to the primary issue facing the Mozilla community:
trust and perception.

Rather than speak of media reports in the abstract, I compiled a list of
reports that people have shared in this forum. The complete list is at
the bottom of this email but I will provide a quick summary here:

[BB-UG] and [BB-VID] is the initial investigative report by Swedish
public television into the allegations that TeliaSonera worked in
partnership with corrupt peoples and governments, and that those
partnerships resulted in losses of privacy and in some cases abuse
of human rights. To be clear, the abuse of rights and of privacy is
not at the hands of TeliaSonera itself—it is the governments who did
that—but TeliaSonera at best allowed privacy to be violated and at
worst invited the privacy loss in order to secure business in the
former Soviet republics. I personally can't tell where that line
should be drawn but the allegations are nonetheless serious, and it
is this report that first documents and presents the information in
order for people to evaluate it and draw their own conclusions.

[SLATE] and [EFF] provide English-language accounts of the TV report
in [BB-VID] and provide examples of the privacy losses and human
rights abuse. (Since the video is an hour long it is faster to
review these articles!)

[EURA] provides further information and analysis into the
investigation between TeliaSonera and specific people whose
reputation is, at best, "questionable" or, at worst, "heavy-handed
and corrupt". In particular, the report brings up Gulnara Karimova
who is described as "the single most hated person in Uzbekistan".


The [EURA] article in particular shows how the taint of distrust begins
in Uzbekistan: the people do not trust Gulnara Karimova and her
father's government in Uzbekistan; ergo, the people do not trust
companies that are do business with her and the government; ergo, the
people do not trust TeliaSonera; ergo, the people do not trust the CA
roots issued by TeliaSonera. I'm sure similar links could be made in
other former Soviet republics, too.

Like it or not the taint of distrust is on the TeliaSonera company (and
brand), and it seems the taint was invited upon the company itself out
of a eagerness to business in the former Soviet republics.


...snip...

>> > TeliaSonera’ s CA business is separated from our telecommunications
>> > operator business organization wise, and is not under any influence
>> > of the rules that apply to our operator business.

TeliaSonera's claim can not possibly be verified and contradicts its
press release on blocking Facebook access [TS-FB]. If a legal request
comes in from Tajikistan for a MITM certificate, is TeliaSonera's CA
operation not obligated to comply?

The claims of separation and "legality" also call into question the
value of restricting business to just Europe (as the official response
from TeliaSonera mentioned). Basicially, such restrictions are of
limited comfort. If someone in Tajikistan wishes to access a web site
in Europe and TeliaSonera has provided a MITM certificate to the
Tajikistan government regulators, based on a "legal request", the
outcome is the same: loss of privacy.

Exactly how separate the CA business would be is ultimately irrelevant,
because once the taint of distrust reaches the TeliaSonera company, the
CA business is equally tainted.

> A leadership that has demonstrated that it's oblivious to the human
> rights violations in these countries as long as it's good for business.
>
> That leadership could also use its CA business to do bad things if they
> think it's good for business.

I agree with Mats. TeliaSonera has announced a new CEO [TS-CEO] but he
won't begin until September 2013. That announcement also mentions a
desire for the company to have a fresh start, but we won't know for some
time if TeliaSonera could once again be trusted.

> I would also like to point out the PR risk for Mozilla in endorsing
> a morally corrupt company like TeliaSonera. Their grave wrongdoings
> smear our reputation.
> https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/

Good link, Mats (added it to the list below)! To use my taint of
distrust metaphor: Right now TeliaSonera is soaking in it, and if
people use a Mozilla product and see the TeliaSonera name, Mozilla will
be soaking in the taint, too. Mozilla can not allow that to happen.

Mozilla must deny TeliaSonera's request to add a third root certificate.

-----

Below are all the references I was able to cull from this forum that
seem relevant to TeliaSonera's request.

[BB-UG] -- http://www.svt.se/ug/video-the-black-boxes-3

This is the main page for the Swedish TV program "Uppdrag
Granskning" and their investigative report titled "The Black
Boxes". The report aired on or around April 26, 2012. [The page is
in Swedish.]


[BB-VID] -- http://vimeo.com/41248885

This is a direct link to the "Black Boxes" video. The video is in
Swedish (and Russian?) but has English subtitles.


[EFF] --
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its

This is an English-language report by the Electronic Frontier
Foundation on May 18, 2012 on the "Black Boxes" video [BB-VID].
This report does mention legal aspects and the difference between
knowing the law and knowing how the law will be followed (or not).


[EURA] -- http://www.eurasianet.org/node/66375

This report by EurasiaNet.org on January 9, 2013 again references
the "Black Boxes" video [BB-VID] but goes on to document newer
evidence about the connections between TeliaSonera and corrupt (or
at least corruptible) persons.


[MOZREP] -- https://blog.mozilla.org/blog/2013/01/28/privacy-day-2013/

Blog post from January 28, 2013 where Mozilla is recognized as the
"Most Trusted Company for Privacy in 2012".


[RFERL] --
http://www.rferl.org/content/uzbekistan-teliasonera-ceo-quits/24890276.html

This is a report by Radio Free Europe/Radio Liberty on February 1,
2013 on the resignation of TeliaSonera CEO Lars Nyberg following an
independent investigation into business dealings in Uzbekistan. The
report indicates that criminal and other investigations continue.


[SLATE] --
http://www.slate.com/blogs/future_tense/2012/04/30/black_box_surveillance_of_phones_email_in_former_soviet_republics_.html

This is an English-language report by Slate on April 30, 2012 on the
"Black Boxes" video [BB-VID]. It describes the use of black boxes
for government surveillance and subsequent privacy losses and human
rights abuses by those governments.


[TS-FB] --
http://www.teliasonera.com/en/newsroom/news/2012/tcell-restricts-access-to-facebook-after-legal-request/

This is a press release from TeliaSonera on November 27, 2012
announces that Tcell, a TeliaSonera company, has restricted access
to Facebook at the request of the country of Tajikistan. The
request is reported as being legal.


[TS-CEO] --
http://www.teliasonera.com/en/newsroom/press-releases/2013/6/johan-dennelind-appointed-president-and-ceo-of-teliasonera/

This is another press release from TeliaSonera on June 16, 2013 on
the announcement of the new CEO. It says he will take over as CEO
on September 1, 2013 at which time he will begin to take the company
in a new direction. The chairman of the board is quoted as saying
the new CEO will "provide a fresh start" for the company.

[Kathleen Wilson]

On 12/21/12 3:46 PM, Kathleen Wilson wrote:
> TeliaSonera has applied to add the “TeliaSonera Root CA v1” root
> certificate and enable the websites and email trust bits. TeliaSonera
> currently has two root certificates included in NSS, “Sonera Class1 CA”
> and “Sonera Class2 CA”, that were included as per bug #258416.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=539924
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=694980
>


All,
I appreciate your constructive and thoughtful input into this
discussion. It is clear that several of you have put significant energy
into researching the owner of this CA, and I appreciate you sharing your
findings here.

The list of included root certificates and each corresponding CA owner
is here:
http://www.mozilla.org/projects/security/certs/included/index.html

I have not looked into what businesses the owner of each CA is involved
in, and I have not identified all of the countries that each CA's owner
has business in. Mozilla's CA Certificate Policy currently does not
place limits on the businesses or countries that the owner of each CA
may be involved in. It is possible that a future version of the policy
will take this into account, and all included CAs would have to meet the
requirements of the new policy.
(https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3)

My focus has been on the CA's operation of their PKI -- Do they follow
Mozilla's CA Certificate Policy? Do they have 3rd-party audit statements
to back up their claim of compliance?

In the case of the TeliaSonera CA, the answer to those two questions is
yes, and no one has provided evidence to the contrary.

We recently published version 2.2 of Mozilla's CA Certificate Policy and
sent a CA Communication that emphasizes that Mozilla will not tolerate a
CA knowingly or intentionally mis-issuing certificates chaining to trust
anchors in Mozilla's program. If TeliaSonera were to create a MITM
certificate chaining up to root certificates in Mozilla's program, then
I would not hesitate to remove all TeliaSonera root certificates from
Mozilla products and I would advocate to have their root certificates
removed from other popular browsers.

The TeliaSonera CA has issued certs in Finland and Sweden, and may
eventually expand their CA business into the countries that they
specified. ("TeliaSonera will issue server certificates only to

organizations that are registered in the European Economic Area. The
European Economic Area (EEA) comprises the countries of the European

Union (EU), plus Iceland, Liechtenstein and Norway.") They plan to
eventually replace their two older "Sonera" (2048-bit) root certs with
this new (4096-bit) root cert, meaning that their two older root certs
would be removed from NSS when this transition is completed.

Typically this would have been considered a very standard request, but
this discussion turned into a political sounding board.

Approval of this root-renewal request means that the CA complies with
Mozilla’s CA Certificate Policy and provides annual audit statements
attesting to their compliance. It in no way reflects my opinion, or that
of Mozilla, on the actions of the owner of the CA in regards to their
non-CA related businesses and practices.

I am now closing this discussion, and will follow-up directly in the bug.

Kathleen