Google Groups

Re: TeliaSonera Request to included Renewed Root


Kathleen Wilson Mar 11, 2013 4:47 PM
Posted in group: mozilla.dev.security.policy
On 3/2/13 9:58 AM, Tom Lowenthal wrote:
> I think that Chris and Moudrick are pointing out that TeliaSonera has
> a history of taking actions hazardous to users, and that this provokes
> a reasonable suspicion that they would act similarly in future, even if
> such action would not comply with our CA agreement.
>
> The particular suspicion seem to be that they would comply with state
> actors to engage in communications interception and surveillance. Perhaps
> some of this interception might be subject to the laws (or norms) of some
> of the countries in which TeliaSonera operates, but some may be extra-legal,
> or international. Based on past performance, we could expect such
> interception -- legal/normal or otherwise -- to be disproportionately
> targeted towards political dissidents, to  be substantially contrary to the
> interests of those users, and potentially to have lethal or personal
> safety consequences for such users, their family, or their colleagues.
>
> * * * * *
>
> Again it seems that we have to re-visit the question of what kind of evidence
> or suspicion of misbehavior justifies rejection of a root request. I suggest that
> the evidence of previous malpractice and unethical behavior is sufficient
> in this case.


I think that we can take this a step further...

There appears to be evidence of TeliaSonera *currently* providing
software/services/devices (?) that enable their customers to engage in
communications interception and surveillance. Additionally, it appears
that TeliaSonera is *currently* providing such services to oppressive
regimes.

If they are *currently* engaging in this practice, then it's a very
small step for them to also include certificates chaining up to their
publicly trusted roots.

Many software companies (including some who have become CAs) made the
mistake years ago of selling software that basically did MITM type
things. However, all software companies (especially CAs) should know by
now the risk involved in selling such software. In my opinion, it is
very dangerous for any publicly-trusted CA to also be in the business of
selling software/services that can be used for communications
interception and surveillance. It is even more obviously dangerous for a
publicly-trusted CA to be selling such services to oppressive regimes.
Perhaps we can add policy that publicly-trusted CAs must not supply
surveillance equipment to repressive regimes -- suggestions on wording
and where to begin are welcome. In the meantime, we can still take action.

Based on the articles that I've reviewed, I think there may be
sufficient evidence that TeliaSonera has been recently selling something
to oppressive regimes that may have been used for "spying."

I will greatly appreciate it if you can all help develop this evidence
by providing specifics about what exactly it is that TeliaSonera has
been selling and how it is used for spying by the oppressive regimes
that are their customers.

Thanks,
Kathleen
--