Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

TeliaSonera Request to included Renewed Root

5,425 views
Skip to first unread message

Kathleen Wilson

unread,
Dec 21, 2012, 6:46:53 PM12/21/12
to mozilla-dev-s...@lists.mozilla.org
TeliaSonera has applied to add the “TeliaSonera Root CA v1” root
certificate and enable the websites and email trust bits. TeliaSonera
currently has two root certificates included in NSS, “Sonera Class1 CA”
and “Sonera Class2 CA”, that were included as per bug #258416.

TeliaSonera provides telecommunication services in the Nordic and Baltic
countries, the emerging markets of Eurasia, including Russia and Turkey,
and in Spain.

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=539924

And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#TeliaSonera

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=694980

Noteworthy points:

* The CPS documents are provided in English.

Repository: https://repository.trust.teliasonera.com

Root CPS:
http://repository.trust.teliasonera.com/TeliaSonera_Root_CPS_v2.01.pdf

Server Cert CPS:
https://repository.trust.teliasonera.com/TeliaSonera_Server_Certificate_CPS_v1.01.pdf

Organizational User Cert CPS:
https://repository.trust.teliasonera.com/TeliaSonera_Organizational_User_Certificate_CPS_v1.00.pdf

* This root cert has internally-operated subordinate CAs for server,
client, and TeliaSonera internal certificates

* The request is to enable the websites and email trust bits.

* Server Cert CPS section 3.2.3: TeliaSonera has two different server
certificate services:
1) SSL order by public electronic form: TeliSonera authenticates the
administrative contact person defined in the certificate application by
calling the contact person via the Customer’s PBX number or when there
is no switchboard, by making a call to some other number in the
organization, which is looked up from a directory maintained by a third
party.
2) SSL order using TeliaSonera’s self service software: The Customer can
make an agreement with TeliaSonera to act as a Registration Officer
within the Customer Organization (Full SSL Service) and to register
TeliaSonera Server certificates using TeliaSonera’s RA system for
Customers. The Customer Registration Officer is restricted to register
certificates only within their own Organization (O) and the domain names
authorized by the CA. Before enabling the service or adding new
authorized Organization or domain names, the CA verifies the
organization identity and the domain names as described in the section
3.2.2.
When registering Subjects, the identity of the Registration Officer is
verified by means of the Registration Officer’s certificate issued by a
TeliaSonera CA.

* Server Cert CPS section 3.2.2: TeliaSonera verifies domain names and
IP addresses from a database maintained by a reliable third party
registrar e.g.e “domain.fi” (for domain “.fi”), iis.se (for domain
“.se”), ripe.net (for IP addresses) and
www.networksolutions.com/whosis-search (for non-country domains), that
as of the date the Certificate was issued, the Aplication either had the
right to use, or had control of, the Fully-Qualified Domain Names(s) and
IP address(es) listed int e Certificate, or was authorized by a person
having such right or contgrol (e.g. under a Principal-Agent or
Licensor-Licensee relationship) to obtain a Certificate Containing the
Fully-Qualfiied Domain mames(s) and IP address(es).

* Bug Comment #2: In enterprise RA cases when Customer Registration
Officer is allowed to enroll server certificates for his/her
organization each organization and domain value is first inspected by
TeliaSonera Registration Officer using the documented checking rules.
Then the values are added to the configuration of that customer so that
later the customer can use same values without a new verification.

* Organizational User Cert CPS section 3.2.3: The procedures to
authenticate the identity of the Subject vary between the different
TeliaSonera certificate services:
** TeliaSonera Class 1 CA v1 – TeliaSonera or Customer Registration
Officer is responsible for authenticating the Subject data according to
Organization’s internal policies. Subject authentication is typically
based on a previously recorded ownership of Customer’s email address,
device, or mobile phone number.
If Common Name or dnsName field of Subject Alternative Name includes
public domain names, TeliaSonera verifies that Customer Organization has
right to use them by checking the ownership from the official records
(e.g. domain.fi (.fk), iis.se (.se) or
www.networksolutions.com/whoi-search). A written permission from the
registered legal owner is an alternative.
TeliaSonera verifies the ownership of an email address by sending a
one-time-password to the applied email-address. Then the Subject entity
must use the password within limited time frame to prove the access to
the email-address. In Enterprise RA cases email-address can be taken
from reliable internal source of the Subscriber without additional
verification by one-time-password.
** TeliaSonera Class 2 CA v1 – Customer or TeliaSonera Registration
Officer is responsible for authenticating the Subject. The Registration
Officers are obliged to follow the policies and instructions given by
the CA.
The Registration officer should use Organization’s previously recorded
directories, databases or other similar information on Organization’s
employees, partners or devices to verify the Subject information
including the email address, Or the Registration Officer should verify
the information by checking the Subject’s identity card.
** TeliaSonera Email CA v3 – Certificates are issued to employees within
the TeliaSonera Group and individuals contracted by TeliaSonera. The
Subscriber is authenticated using a username and password and
information stored in TeliaSonera’s directories or databases.

* EV Policy OID: Not applicable.

* Root Cert Download URL:
http://repository.trust.teliasonera.com/teliasonerarootcav1.cer

* Test URL: https://juolukka.cover.sonera.net:10443/

* CRL
http://crl-2.trust.teliasonera.com/teliasonerarootcav1.crl
http://crl-3.trust.teliasonera.com/teliasonerarootcav1.crl (NextUpdate:
7 days)
Root CPS Section 4.9.7: CRLs are published at least once in a day. The
CRL validity period is 168 hours. (7 days)

* OCSP: http://ocsp.trust.teliasonera.com/

* Audit: Annual WebTrust audits are performed by Ernst & Young and
posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1369 (2012.03.31)

Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices):
* Issuing end entity certificates directly from roots
** Bug Comment #2: We are stopping this problematic practice during this
year when our new TeliaSonera CAs are replacing the old Sonera CAs.

This begins the discussion of the request from TeliaSonera to add the
“TeliaSonera Root CA v1” root certificate and enable the websites and
email trust bits. At the conclusion of this discussion, I will provide a
summary of issues noted and action items. If there are no outstanding
issues, then this request can be approved. If there are outstanding
issues or action items, then an additional discussion may be needed as
follow-up.

Kathleen

petter.l...@gmail.com

unread,
Jan 21, 2013, 5:19:20 AM1/21/13
to mozilla-dev-s...@lists.mozilla.org, petter.l...@gmail.com, pekka.la...@teliasonera.com
I have read the information and can verify it is correct.
Petter Ljunggren

Kathleen Wilson

unread,
Feb 27, 2013, 8:01:35 PM2/27/13
to mozilla-dev-s...@lists.mozilla.org
All,

Please review and comment on this request from TeliaSonera to add their
next generation root certificate.

If no concerns are raised, then early next week I plan to close this
discussion and recommend approval in the bug.

Thanks,
Kathleen

ch...@soghoian.net

unread,
Mar 1, 2013, 7:19:02 AM3/1/13
to mozilla-dev-s...@lists.mozilla.org
This is the same TeliaSonera that has been accused of assisting the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan with their efforts to spy on journalists, union leaders, and members of the political opposition?

See 1 hour documentary on the topic here:
http://vimeo.com/41248885

One whistle-blower who worked for Teliasonera told the documentary reporters, “The Arab Spring prompted the regimes to tighten their surveillance. ... There’s no limit to how much wiretapping is done, none at all.”

EFF's blog post:
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its

Slate's story:
http://www.slate.com/blogs/future_tense/2012/04/30/black_box_surveillance_of_phones_email_in_former_soviet_republics_.html

Why would we want to expand the ability of this company to create MiTM certificates Firefox users? If anything, we should be discussing kicking them out of the CA trust database.

If you want to be in the surveillance business, you shouldn't get to be a CA too.
Message has been deleted

Moudrick M. Dadashov

unread,
Mar 1, 2013, 8:41:21 AM3/1/13
to ch...@soghoian.net, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Chris, while I 100% agree with you. Your list of TeliaSonera
"achievements" are far from being complete.

Not so long ago, like yourself, I've presented the similar arguments
against a TeiaSonera controlled CA from Estonia (aka a pocket CA). Even
though the CA failed to address elementary questions (re: outsourced RA,
OCSP practices etc.) they are in the trusted Root list now. This is
definitely unfortunate, a trusted entity can't be half pregnant (CA's
corrupted el. signature business doesn't effect its SSL service..).

TeliaSonera is not an organization like most of us are familiar with.
TeliaSonera is an umbrella for tens or maybe even hundreds of
"independent" entities, its a network of organizations. I've never seen
so deeply corrupted infrastructure like TeliaSonera. But anyway, let's
help the community to understand why we should NOT trust TeliaSonera in
terms of this Root program requirements.

So far I was able to review only one document: TeliaSonera – Root
Certification Practice Statement – v. 2.01. From what I've learned from
this document they are "upgrading" a geographically limited Root with
one that is geographically unlimited. The unlimited Root is going to
host an issuing CAs for a client e.g. for a good President of country X.

TeliaSonera, could you please explain us why you need this
geographically unrestricted Root CA?

Thank you and please don't take this personal..

M.D.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


Moudrick M. Dadashov

unread,
Mar 1, 2013, 8:41:21 AM3/1/13
to ch...@soghoian.net, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Chris, while I 100% agree with you. Your list of TeliaSonera
"achievements" are far from being complete.

Not so long ago, like yourself, I've presented the similar arguments
against a TeiaSonera controlled CA from Estonia (aka a pocket CA). Even
though the CA failed to address elementary questions (re: outsourced RA,
OCSP practices etc.) they are in the trusted Root list now. This is
definitely unfortunate, a trusted entity can't be half pregnant (CA's
corrupted el. signature business doesn't effect its SSL service..).

TeliaSonera is not an organization like most of us are familiar with.
TeliaSonera is an umbrella for tens or maybe even hundreds of
"independent" entities, its a network of organizations. I've never seen
so deeply corrupted infrastructure like TeliaSonera. But anyway, let's
help the community to understand why we should NOT trust TeliaSonera in
terms of this Root program requirements.

So far I was able to review only one document: TeliaSonera – Root
Certification Practice Statement – v. 2.01. From what I've learned from
this document they are "upgrading" a geographically limited Root with
one that is geographically unlimited. The unlimited Root is going to
host an issuing CAs for a client e.g. for a good President of country X.

TeliaSonera, could you please explain us why you need this
geographically unrestricted Root CA?

Thank you and please don't take this personal..

M.D.

On 3/1/2013 2:19 PM, ch...@soghoian.net wrote:

Tom Lowenthal

unread,
Mar 2, 2013, 12:58:24 PM3/2/13
to mozilla-dev-s...@lists.mozilla.org, Chris Soghoian
I think that Chris and Moudrick are pointing out that TeliaSonera has a history of taking actions hazardous to users, and that this provokes a reasonable suspicion that they would act similarly in future, even if such action would not comply with our CA agreement.

The particular suspicion seem to be that they would comply with state actors to engage in communications interception and surveillance. Perhaps some of this interception might be subject to the laws (or norms) of some of the countries in which TeliaSonera operates, but some may be extra-legal, or international. Based on past performance, we could expect such interception -- legal/normal or otherwise -- to be disproportionately targeted towards political dissidents, to be substantially contrary to the interests of those users, and potentially to have lethal or personal safety consequences for such users, their family, or their colleagues.

* * * * *

Again it seems that we have to re-visit the question of what kind of evidence or suspicion of misbehavior justifies rejection of a root request. I suggest that the evidence of previous malpractice and unethical behavior is sufficient in this case.

Stephen Schultze

unread,
Mar 2, 2013, 1:05:27 PM3/2/13
to mozilla-dev-s...@lists.mozilla.org
Based on the ample evidence of non-trustworthy behavior, I propose that
TeliaSonera's existing roots be removed from the trusted root database.

Inclusion of roots by this company do not pass the straight-face test if
you ask whether they cause "cause undue risks to users' security."

Steve

On 3/1/13 7:19 AM, ch...@soghoian.net wrote:
> This is the same TeliaSonera that has been accused of assisting the governments of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan with their efforts to spy on journalists, union leaders, and members of the political opposition?
>
> See 1 hour documentary on the topic here:
> http://vimeo.com/41248885
>
> One whistle-blower who worked for Teliasonera told the documentary reporters, “The Arab Spring prompted the regimes to tighten their surveillance. .... There’s no limit to how much wiretapping is done, none at all.”

Moudrick M. Dadashov

unread,
Mar 2, 2013, 2:43:43 PM3/2/13
to Tom Lowenthal, mozilla-dev-s...@lists.mozilla.org, dev-secur...@lists.mozilla.org, Chris Soghoian
Anybody on this list familiar how ACB/ITSS works?
https://www.rtgserver.net/

a sample report:
http://www.dbs.lt/show_big_img.php?src=./att_files/img9_3020.jpg#

Manufacturer:
Cibertec International S.A., http://www.cibertec.com/

Countries where TeliaSonera deployed this "value-added service":
Costa Rica, Panama, Nicaragua, Honduras, Ukraine, Latvia, Lithuania,
Philippines, Singapore, Morocco, Colombia, Malaysia, Mexico, Ecuador,
Caribbean Islands, BVI, Jamaica, Cayman Is, Barbados, Armenia, Kirgizstan...

ACB/ITSS is a fixed voice network spying system and philosophy of
TeliaSonera's business model: Pecunia non olet.

IMO TeliaSonera Root inclusion request must be declined because of
unacceptable business practices.

Forward this email to someone from EU authorities and/or Swedish
Government you know.

Thanks,
M.D.
P.S. More first hand corruption related facts available.

Moudrick M. Dadashov

unread,
Mar 2, 2013, 2:43:43 PM3/2/13
to Tom Lowenthal, mozilla-dev-s...@lists.mozilla.org, dev-secur...@lists.mozilla.org, Chris Soghoian
Anybody on this list familiar how ACB/ITSS works?
https://www.rtgserver.net/

a sample report:
http://www.dbs.lt/show_big_img.php?src=./att_files/img9_3020.jpg#

Manufacturer:
Cibertec International S.A., http://www.cibertec.com/

Countries where TeliaSonera deployed this "value-added service":
Costa Rica, Panama, Nicaragua, Honduras, Ukraine, Latvia, Lithuania,
Philippines, Singapore, Morocco, Colombia, Malaysia, Mexico, Ecuador,
Caribbean Islands, BVI, Jamaica, Cayman Is, Barbados, Armenia, Kirgizstan...

ACB/ITSS is a fixed voice network spying system and philosophy of
TeliaSonera's business model: Pecunia non olet.

IMO TeliaSonera Root inclusion request must be declined because of
unacceptable business practices.

Forward this email to someone from EU authorities and/or Swedish
Government you know.

Thanks,
M.D.
P.S. More first hand corruption related facts available.

On 3/2/2013 7:58 PM, Tom Lowenthal wrote:

pekka.la...@teliasonera.com

unread,
Mar 6, 2013, 6:21:39 AM3/6/13
to mozilla-dev-s...@lists.mozilla.org
Please check www.teliasonera.com/newsroom for current and correct information regarding our business as well as our operation in Eurasia. Should concerns still remain happy to discuss.

Reasons to upgrade TeliaSonera CA Root certificate are simply:
• Longer validity time for business continuity
• Longer key length: 2k -> 4k
• New company name: Sonera -> TeliaSonera
• New CA hierarchy to stop using Root CA to sign end-entity certificates

This TeliaSonera Root CA issues public certificates only to Swedish and Finnish customers and citizens. Both countries have their own RA and sub CA under the new root: “TeliaSonera Class1 CA v1” for certificates issued from Finland and “TeliaSonera Class2 CA v1” for certificates issued from Sweden. All our processes and certificates are following Mozilla requirements and are validated yearly in Webtrust audit.

Martin Millnert

unread,
Mar 6, 2013, 7:21:50 AM3/6/13
to pekka.la...@teliasonera.com, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Hi,

On Wed, 2013-03-06 at 03:21 -0800, pekka.la...@teliasonera.com
wrote:
> Please check www.teliasonera.com/newsroom for current and correct
> information regarding our business as well as our operation in
> Eurasia. Should concerns still remain happy to discuss.

I checked the link and found a factbook on TeliaSonera in Eurasia, [0],
but I don't see any response to the criticism brought up in [1] [2] [3]
in it.

Has this criticism been met elsewhere, which I missed on the link?

If the criticism is incorrect I imagine it should be trivial to reject
it.

[4] makes you doubt though:
"We have a clear policy in place to ensure that all requests are handled
in a legally correct way, and we aim to communicate them on our
corporate website /to the extent possible/." - emphasis mine.

Best regards,
Martin

[0] http://www.teliasonera.com/Documents/Public%20policy%
20documents/TeliaSonera_Factbook_Eurasia_01022013.pdf
[1]
https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its
[2]
http://www.slate.com/blogs/future_tense/2012/04/30/black_box_surveillance_of_phones_email_in_former_soviet_republics_.html
[3] http://vimeo.com/41248885
[4]
http://www.teliasonera.com/en/newsroom/news/2012/tcell-restricts-access-to-facebook-after-legal-request/

Martin Millnert

unread,
Mar 6, 2013, 7:21:50 AM3/6/13
to pekka.la...@teliasonera.com, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Hi,

On Wed, 2013-03-06 at 03:21 -0800, pekka.la...@teliasonera.com
wrote:
> Please check www.teliasonera.com/newsroom for current and correct
> information regarding our business as well as our operation in
> Eurasia. Should concerns still remain happy to discuss.

Stephen Schultze

unread,
Mar 8, 2013, 5:10:15 PM3/8/13
to mozilla-dev-s...@lists.mozilla.org
I asked Sarah Kendzior, an anthropologist who studies the internet in
eastern Europe, about this thread. She said:

===
Hi Stephen. I read through the Google thread on Telisasonera and I
absolutely agree with you, Chris Soghoian and others who see Teliasonera
as corrupt and untrustworthy. As he noted, they have assisted the
repressive governments of many former Soviet states and are currently
involved in a money laundering/bribery scandal in Uzbekistan, one of the
worst dictatorships in the world. Their main point of contact is Gulnara
Karimova, the daughter of the Uzbek president who is essentially a
mafioso princess; she has a history of corrupt business dealings going
back decades.

Teliasonera has tried to blame the Uzbek scandal on their efforts to "do
business in a corrupt country" instead of on their own corruption, but
they have engaged in similar deals with the former royal family of
Nepal, who have a long history of shady deals, as well as the other
countries Soghoian mentions. The problem is with Teliasonera -- the
countries and people they choose to work with are a reflection of their
own ethics.

Eurasianet and Radio Free Europe, which specialize in reporting on the
former Soviet Union, have been following the Teliasonera case closely.
Here are a couple of suggested links:

http://www.rferl.org/content/uzbekistan-teliasonera-ceo-quits/24890276.html

http://www.eurasianet.org/node/66375

Joanna Lillis at Eurasianet has done solid reporting on this; her other
articles are worth checking out too.

Hope this helps!

Sarah
===

Erwann Abalea

unread,
Mar 9, 2013, 10:33:39 AM3/9/13
to
Le jeudi 28 février 2013 02:01:35 UTC+1, Kathleen Wilson a écrit :
> Please review and comment on this request from TeliaSonera to add their
> next generation root certificate.
>
> If no concerns are raised, then early next week I plan to close this
> discussion and recommend approval in the bug.

Reading the other messages, it looks like the "no comment means approval" isn't always a valid approach (I'm not saying it's always wrong).
By chance, the detractors here aren't behind a GFW-like barrier.

Nothing have been showed proving they mis-behaved in their CA role. That was the argument to approve CNNIC.
On the other hand, the company seems to mis-behave on some markets, with eavesdropping activities. Being a CA extends the ability to spy on users.

I agree with Tom's post (every word of it).

Peter Kurrasch

unread,
Mar 11, 2013, 6:07:38 PM3/11/13
to dev-secur...@lists.mozilla.org
Previously...
> Nothing have been showed proving they mis-behaved in their CA role. That was the argument to approve CNNIC.
> On the other hand, the company seems to mis-behave on some markets, with eavesdropping activities. Being a CA extends the ability to spy on users.
In fact, I think we've been discussing on this list that root CA's are
responsible for their subordinates. Ergo, TeliaSonera bears
responsibility for the well-documented misdeeds by organizations that
chain up to their roots.

In light of all that has been presented on this list it seems clear that
TeliaSonera should be prohibited from participating in the Mozilla
trusted root program. This means that the current request be denied as
well as future requests. I think an argument could be made that a
permanent block be added to Mozilla products for current/known roots.
After all, the same action was taken after the DigiNotar fiasco and what
TeliaSonera is doing now is just as bad--if not, worse.

Kathleen Wilson

unread,
Mar 11, 2013, 7:47:59 PM3/11/13
to mozilla-dev-s...@lists.mozilla.org
I think that we can take this a step further...

There appears to be evidence of TeliaSonera *currently* providing
software/services/devices (?) that enable their customers to engage in
communications interception and surveillance. Additionally, it appears
that TeliaSonera is *currently* providing such services to oppressive
regimes.

If they are *currently* engaging in this practice, then it's a very
small step for them to also include certificates chaining up to their
publicly trusted roots.

Many software companies (including some who have become CAs) made the
mistake years ago of selling software that basically did MITM type
things. However, all software companies (especially CAs) should know by
now the risk involved in selling such software. In my opinion, it is
very dangerous for any publicly-trusted CA to also be in the business of
selling software/services that can be used for communications
interception and surveillance. It is even more obviously dangerous for a
publicly-trusted CA to be selling such services to oppressive regimes.
Perhaps we can add policy that publicly-trusted CAs must not supply
surveillance equipment to repressive regimes -- suggestions on wording
and where to begin are welcome. In the meantime, we can still take action.

Based on the articles that I've reviewed, I think there may be
sufficient evidence that TeliaSonera has been recently selling something
to oppressive regimes that may have been used for "spying."

I will greatly appreciate it if you can all help develop this evidence
by providing specifics about what exactly it is that TeliaSonera has
been selling and how it is used for spying by the oppressive regimes
that are their customers.

Thanks,
Kathleen
--



ch...@soghoian.net

unread,
Mar 12, 2013, 12:50:04 AM3/12/13
to mozilla-dev-s...@lists.mozilla.org
Kathleen,

I welcome (and applaud) your statement that "it is very dangerous for any publicly-trusted CA to also be in the business of selling software/services that can be used for communications interception and surveillance."

I am also delighted to hear that you are open to the idea of punishing TeliaSonera for its role in facilitating surveillance in multiple countries.

Mozilla can and should establish a policy that CAs may not also be in the surveillance business. However, I see no reason to limit such a prohibition to the sale of surveillance technologies or services to authoritarian governments. The prohibition should apply to all governments.

I don't think I am alone in saying that I don't want a company that provides surveillance technology or services to any government - my own country, another western country, or anywhere else in the world to be trusted by my web browser with MiTM powers.

TeliaSonera provides us with a good opportunity to open the books, and consider a broader anti-surveillance CA policy. That TeliaSonera is assisting human rights abusing governments is of course bad, but that they are merely in the surveillance business should be more than enough of a reason to kick them out of the trust database.

Finally, it is worth noting that security experts have been raising similar concerns for nearly a decade. See I. Grigg and A. Shostack. VeriSign and Conficts of Interest, February 2 2005. http://forum.icann.org/lists/net-rfp-verisign/msg00008.html.

Thanks,

Chris
Message has been deleted

Eitan Adler

unread,
Mar 12, 2013, 1:36:34 AM3/12/13
to ch...@soghoian.net, mozilla-dev-s...@lists.mozilla.org, mozilla.dev.s...@googlegroups.com
On 12 March 2013 00:50, <ch...@soghoian.net> wrote:
> Kathleen,
>
> I welcome (and applaud) your statement that "it is very dangerous for any publicly-trusted CA to also be in the business of selling software/services that can be used for communications interception and surveillance."
>
> I am also delighted to hear that you are open to the idea of punishing TeliaSonera for its role in facilitating surveillance in multiple countries.
>
> Mozilla can and should establish a policy that CAs may not also be in the surveillance business. However, I see no reason to limit such a prohibition to the sale of surveillance technologies or services to authoritarian governments. The prohibition should apply to all governments.

+1. Mozilla should not be in the business of deciding which
governments that conduct surveillance are 'good' and which are 'bad'.
There should be a blanket policy prohibiting companies that sell
communications interception or surveillance software or services from
being considered a publicly-trusted CA.

--
Eitan Adler

Kathleen Wilson

unread,
Mar 12, 2013, 12:41:00 PM3/12/13
to mozilla-dev-s...@lists.mozilla.org
Some things we should consider...

1) I think it's safe to assume that every government has some sort of
reconnaissance surveillance and intelligence systems organization. So
then wouldn't every government CA fall into this category? We've tried
many times to figure out what to do about government CAs
(https://wiki.mozilla.org/CA:GovernmentCAs), but I don't believe we
should simply ban all government CAs.

2) There are some very large non-government organizations that have a
broad set of products, they may have grown through acquisitions, and may
have several independently-operated subsidiaries. Let's imagine an
example and say that a particular company has one subsidiary that sells
Sonicwall devices, and another subsidiary that is a publicly trusted CA.
Would it be reasonable to kick that CA out of Mozilla's program? What if
that CA has been a good-behaving CA for many years and is regularly
audited, and their is no evidence that they are not keeping their CA
program independent other than the umbrella company that owns them?

3) Is it the responsibility of the company selling their products to
make sure they are not used inappropriately? This question applies to
selling computers, telecommunications devices, other electronic devices,
etc.

4) Is there a clear distinction that can be used to identify which
products are "surveillance products"? (Can't any computer be used for
surveillance?)

5) Is there a clear distinction that can be used to identify which
countries have oppressive regimes? Is it reasonable to prohibit
companies from selling their products in those countries?

6) Mozilla's policy says: "Mozilla may, at its sole discretion, disable
(partially or fully) or remove a certificate at any time and for any
reason." However, (despite all the mean words that get thrown at me) I
do try to run the program in a fair, open, and impartial manner. It can
be very difficult to distinguish between a smear campaign and a truly
bad-acting CA, especially when there is another language, culture, and
politics involved.


Kathleen





Peter Kurrasch

unread,
Mar 12, 2013, 3:50:32 PM3/12/13
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
On 03.12.2013 11:41 AM, Kathleen Wilson wrote:
> Some things we should consider...
>
> 1) I think it's safe to assume that every government has some sort of
> reconnaissance surveillance and intelligence systems organization. So
> then wouldn't every government CA fall into this category? We've tried
> many times to figure out what to do about government CAs
> (https://wiki.mozilla.org/CA:GovernmentCAs), but I don't believe we
> should simply ban all government CAs.
I would put it a little differently. I think we have every reason to
assume that major world governments have "special" arrangements with the
major players in the root CA game. It is those relationships that
should be scrutinized and handled accordingly. Obviously by their very
nature it is hard to learn about any such arrangements, but I
nonetheless would say that is where our concern lies. If a government
wishes to operate as a CA itself it deserves the same scrutiny as any
other CA (see also my comments below).

> 2) There are some very large non-government organizations that have a
> broad set of products, they may have grown through acquisitions, and
> may have several independently-operated subsidiaries. Let's imagine an
> example and say that a particular company has one subsidiary that
> sells Sonicwall devices, and another subsidiary that is a publicly
> trusted CA. Would it be reasonable to kick that CA out of Mozilla's
> program? What if that CA has been a good-behaving CA for many years
> and is regularly audited, and their is no evidence that they are not
> keeping their CA program independent other than the umbrella company
> that owns them?
I would say this be handled on a case-by-case basis. So much would
depend on the nature of the ownership and the ways in which trust has
been violated.

I would add that past behavior is not necessarily a predictor for future
good deeds. Changes in management within an organization can lead to a
change in principles and priorities. Such changes can affect how we (as
outsiders) feel about the organization and how much trust we are willing
to extend.

> 3) Is it the responsibility of the company selling their products to
> make sure they are not used inappropriately? This question applies to
> selling computers, telecommunications devices, other electronic
> devices, etc.
For the purposes of establishing and maintaining the idea of trust I
think this is an easy one: absolutely yes. It's not enough for me to
grab a crypto box of some sort--I also have to know how to decode the
data. If I can steal a private key, trust has been broken. If the
producer of the box is complicit in providing me with a backdoor means
to decode the data, trust is just as broken.

> 4) Is there a clear distinction that can be used to identify which
> products are "surveillance products"? (Can't any computer be used for
> surveillance?)
I don't think such a distinction is necessary--spying is spying. CA's
are not to issue certs or divulge private keys (or ???) in order to
facilitate spying (again, see my comments below).

> 5) Is there a clear distinction that can be used to identify which
> countries have oppressive regimes? Is it reasonable to prohibit
> companies from selling their products in those countries?
I'm sure there are but I think it would be best to avoid that
philosophical discussion if possible (and see my comments below). If
you are an employer trying to spy on your employees or some regime
trying to silence the opposition, I don't think it matters much for our
purposes here.

> 6) Mozilla's policy says: "Mozilla may, at its sole discretion,
> disable (partially or fully) or remove a certificate at any time and
> for any reason." However, (despite all the mean words that get thrown
> at me) I do try to run the program in a fair, open, and impartial
> manner. It can be very difficult to distinguish between a smear
> campaign and a truly bad-acting CA, especially when there is another
> language, culture, and politics involved.
I think you do a good job! and you are as fair, open, and impartial as
anyone can reasonably expect!

At the risk of over simplifying, I think this entire discussion can be
boiled down to one word: trust.

1) We are talking about the "trusted store" for root CAs, and we enable
"trust bits" on certain certificates. Trust is at the very core of what
we're doing here. Trust is the foundation of PKI writ large!

2) Once trust is lost it is very hard to regain it (and this can be
said of any organization--the New York Times went through this some
years ago when it had trouble with reporters plagiarizing or forging
articles). As such, it is in Mozilla's profound interest to establish
and maintain that trust (hence the policy allowing Mozilla to act on its
own). Failure to do so would have serious consequences to Mozilla
products and the organizational mission.

3) We (Mozilla and contributors) do our best to ensure that only those
certs that are "believed to be good" get included in the trusted store.
This is not a perfect nor exact process, but we employ the relevant
standards, recommendations, best practices, and common sense in an
effort to reach a conclusion.

4) Likewise, we strive to block those certs that are "known to be
bad". Whether compromised by theft, negligence, or bad acts we discuss
the situation and act accordingly (including disabling or removing
certs). Some recent examples (with various outcomes) include DigiNotar,
the recent Turktrust flap, and now TeliaSonera.

5) When rendering a decision to remove/disable a CA from the trusted
store, I think the policy should be to record the reason for the action
(somewhere on the wiki?) and include links to articles, etc. that were
used to reach that conclusion. I would say that if you have 3 or 4
independent and objective reports documenting a bad act, that should be
sufficient. Also by making the links public we allow for the
possibility to revisit the issue should one or more reports prove
fraudulent--or more information otherwise become available. In other
words, perhaps a "known to be bad" agency could one day be "believed to
be good".

I hope the above stimulates further discussion!

Jean-Marc Desperrier

unread,
Mar 13, 2013, 5:02:04 AM3/13/13
to mozilla-dev-s...@lists.mozilla.org
Stephen Schultze a écrit :
> Their main point of contact is Gulnara Karimova, the daughter of the
> Uzbek president who is essentially a mafioso princess; she has a history
> of corrupt business dealings going back decades.

Oh, so that's the girl with whom Depardieu is singing ...

irene...@teliasonera.com

unread,
Mar 13, 2013, 12:11:22 PM3/13/13
to mozilla-dev-s...@lists.mozilla.org
On Saturday, 22 December 2012 00:46:53 UTC+1, Kathleen Wilson wrote:
> TeliaSonera has applied to add the “TeliaSonera Root CA v1” root certificate and enable the websites and email trust bits. TeliaSonera currently has two root certificates included in NSS, “Sonera Class1 CA” and “Sonera Class2 CA”, that were included as per bug #258416. TeliaSonera provides telecommunication services in the Nordic and Baltic countries, the emerging markets of Eurasia, including Russia and Turkey, and in Spain. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=539924 And in the pending certificates list here: http://www.mozilla.org/projects/security/certs/pending/#TeliaSonera Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=694980 Noteworthy points: * The CPS documents are provided in English. Repository: https://repository.trust.teliasonera.com Root CPS: http://repository.trust.teliasonera.com/TeliaSonera_Root_CPS_v2.01.pdf Server Cert CPS: https://repository.trust.teliasonera.com/TeliaSonera_Server_Certificate_CPS_v1.01.pdf Organizational User Cert CPS: https://repository.trust.teliasonera.com/TeliaSonera_Organizational_User_Certificate_CPS_v1.00.pdf * This root cert has internally-operated subordinate CAs for server, client, and TeliaSonera internal certificates * The request is to enable the websites and email trust bits. * Server Cert CPS section 3.2.3: TeliaSonera has two different server certificate services: 1) SSL order by public electronic form: TeliSonera authenticates the administrative contact person defined in the certificate application by calling the contact person via the Customer’s PBX number or when there is no switchboard, by making a call to some other number in the organization, which is looked up from a directory maintained by a third party. 2) SSL order using TeliaSonera’s self service software: The Customer can make an agreement with TeliaSonera to act as a Registration Officer within the Customer Organization (Full SSL Service) and to register TeliaSonera Server certificates using TeliaSonera’s RA system for Customers. The Customer Registration Officer is restricted to register certificates only within their own Organization (O) and the domain names authorized by the CA. Before enabling the service or adding new authorized Organization or domain names, the CA verifies the organization identity and the domain names as described in the section 3.2.2. When registering Subjects, the identity of the Registration Officer is verified by means of the Registration Officer’s certificate issued by a TeliaSonera CA. * Server Cert CPS section 3.2.2: TeliaSonera verifies domain names and IP addresses from a database maintained by a reliable third party registrar e.g.e “domain.fi” (for domain “.fi”), iis.se (for domain “.se”), ripe.net (for IP addresses) and www.networksolutions.com/whosis-search (for non-country domains), that as of the date the Certificate was issued, the Aplication either had the right to use, or had control of, the Fully-Qualified Domain Names(s) and IP address(es) listed int e Certificate, or was authorized by a person having such right or contgrol (e.g. under a Principal-Agent or Licensor-Licensee relationship) to obtain a Certificate Containing the Fully-Qualfiied Domain mames(s) and IP address(es). * Bug Comment #2: In enterprise RA cases when Customer Registration Officer is allowed to enroll server certificates for his/her organization each organization and domain value is first inspected by TeliaSonera Registration Officer using the documented checking rules. Then the values are added to the configuration of that customer so that later the customer can use same values without a new verification. * Organizational User Cert CPS section 3.2.3: The procedures to authenticate the identity of the Subject vary between the different TeliaSonera certificate services: ** TeliaSonera Class 1 CA v1 – TeliaSonera or Customer Registration Officer is responsible for authenticating the Subject data according to Organization’s internal policies. Subject authentication is typically based on a previously recorded ownership of Customer’s email address, device, or mobile phone number. If Common Name or dnsName field of Subject Alternative Name includes public domain names, TeliaSonera verifies that Customer Organization has right to use them by checking the ownership from the official records (e.g. domain.fi (.fk), iis.se (.se) or www.networksolutions.com/whoi-search). A written permission from the registered legal owner is an alternative. TeliaSonera verifies the ownership of an email address by sending a one-time-password to the applied email-address. Then the Subject entity must use the password within limited time frame to prove the access to the email-address. In Enterprise RA cases email-address can be taken from reliable internal source of the Subscriber without additional verification by one-time-password. ** TeliaSonera Class 2 CA v1 – Customer or TeliaSonera Registration Officer is responsible for authenticating the Subject. The Registration Officers are obliged to follow the policies and instructions given by the CA. The Registration officer should use Organization’s previously recorded directories, databases or other similar information on Organization’s employees, partners or devices to verify the Subject information including the email address, Or the Registration Officer should verify the information by checking the Subject’s identity card. ** TeliaSonera Email CA v3 – Certificates are issued to employees within the TeliaSonera Group and individuals contracted by TeliaSonera. The Subscriber is authenticated using a username and password and information stored in TeliaSonera’s directories or databases. * EV Policy OID: Not applicable. * Root Cert Download URL: http://repository.trust.teliasonera.com/teliasonerarootcav1.cer * Test URL: https://juolukka.cover.sonera.net:10443/ * CRL http://crl-2.trust.teliasonera.com/teliasonerarootcav1.crl http://crl-3.trust.teliasonera.com/teliasonerarootcav1.crl (NextUpdate: 7 days) Root CPS Section 4.9.7: CRLs are published at least once in a day. The CRL validity period is 168 hours. (7 days) * OCSP: http://ocsp.trust.teliasonera.com/ * Audit: Annual WebTrust audits are performed by Ernst & Young and posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=1369 (2012.03.31) Potentially Problematic Practices (http://wiki.mozilla.org/CA:Problematic_Practices): * Issuing end entity certificates directly from roots ** Bug Comment #2: We are stopping this problematic practice during this year when our new TeliaSonera CAs are replacing the old Sonera CAs. This begins the discussion of the request from TeliaSonera to add the “TeliaSonera Root CA v1” root certificate and enable the websites and email trust bits. At the conclusion of this discussion, I will provide a summary of issues noted and action items. If there are no outstanding issues, then this request can be approved. If there are outstanding issues or action items, then an additional discussion may be needed as follow-up. Kathleen

TeliaSonera was founded in the 1850’s and has its roots in the Nordic telecom market. We are pioneers of the telecom industry, one of the inventors of mobile communications and founders of GSM. Today we help our more than 71 million subscribers in the Nordic and Baltic countries, Eurasia and Spain to communicate by providing high quality telecommunication services. We are also the leading European wholesale provider with a wholly-owned international carrier network.

As for all operators - TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime. This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation. Together with a group of other international telecom companies TeliaSonera formed the Industry Dialogue 2011 to discuss freedom of expression and privacy rights in the sector, in the context of the UN Guiding Principles on Business and Human Rights. Standing together enables the participating companies to act in the same, sustainable manner. The collaboration is the beginning of a common journey.

Through our presence in Eurasia, we are generating growth for our shareholders, but even more important are the opportunities that our services create in the countries where we have set up business. Few tools are better for economic and personal development than access to the internet and mobile telephony. They enable people to communicate with each other and the outside world in a way that was not possible a few years ago, and they open up previously closed societies to the outside world. Our contribution is through our investment in important infrastructure, and through provision of communication services at affordable prices to the vast majority of the population.


irene...@teliasonera.com

unread,
Mar 13, 2013, 12:44:25 PM3/13/13
to mozilla-dev-s...@lists.mozilla.org
Official reply from TeliaSonera.

TeliaSonera was founded in the 1850’s and has its roots in the Nordic telecom market. We are pioneers of the telecom industry, one of the inventors of mobile communications and founders of GSM. Today we help our more than 71 million subscribers in the Nordic and Baltic countries, Eurasia and Spain to communicate by providing high quality telecommunication services. We are also the leading European wholesale provider with a wholly-owned international carrier network.

As for all operators - TeliaSonera does not provide lawful interception surveillance services beyond those required by lawful legislation. The governments and security services of all countries in the world have the legal right to request information from operators and monitor network traffic for the purpose of fighting crime. This is happening every day in all countries and applies to all operators. We are obliged to comply with the legislation of each country. However together we strive to develop common principles for handling situations where there is a conflict between human rights and national legislation. Together with a group of other international telecom companies TeliaSonera formed the Industry Dialogue 2011 to discuss freedom of expression and privacy rights in the sector, in the context of the UN Guiding Principles on Business and Human Rights. Standing together enables the participating companies to act in the same, sustainable manner. The collaboration is the beginning of a common journey.

Through our presence in Eurasia, we are generating growth for our shareholders, but even more important are the opportunities that our services create in the countries where we have set up business. Few tools are better for economic and personal development than access to the internet and mobile telephony. They enable people to communicate with each other and the outside world in a way that was not possible a few years ago, and they open up previously closed societies to the outside world. Our contribution is through our investment in important infrastructure, and through provision of communication services at affordable prices to the vast majority of the population.
Irene Krohn, Senior Media Relation Manager

ch...@soghoian.net

unread,
Mar 13, 2013, 1:38:30 PM3/13/13
to
TeliaSoner has now confirmed, via the press release posted to this group by their public relations manager, that they are in the interception business. Although they insist that they do not provide any interception services beyond those required by law in the countries that they operate, that should not impact Mozilla's decision.

There are plenty of certificate authorities out there, including many that are not in the surveillance business, and want nothing to do with it. Mozilla can and should use its power to force these companies to pick which market they want to be in - they can either provide wiretaps or HTTPS certificates, but not both.

In many countries (including the US), telecommunications carriers are required to provide surveillance assistance to governments. This will likely mean that telecommunications carriers will not be able to be in the certificate business.

Due to the really nasty governments that TeliaSonera has assisted, I think that Mozilla should promptly move towards kicking the company out of the CA database. In the long term, Mozilla should also embrace a broader anti-surveillance policy (with sufficient notice, large conglomerates with surveillance and CA divisions will be able to sell their CA division to another company that is not in the surveillance business).

As for how to identify which companies sell surveillance technology and services: As a general rule of thumb, if a company offers "lawful interception" products and services, it is in the surveillance business. If it spies on its customers for governments by secretly handing over their communications data, it is in the surveillance business. If it exhibits at ISS World (aka the wiretappers ball), it is in the surveillance business.

Finally, Kathleen also raises the important issue of government CAs. These should also be addressed, but we shouldn't block action on surveillance companies because we haven't figured out how to deal with governments.



Eddy Nigg

unread,
Mar 13, 2013, 6:21:40 PM3/13/13
to mozilla-dev-s...@lists.mozilla.org
On 03/13/2013 07:38 PM, From ch...@soghoian.net:
> This will likely mean that telecommunications carriers will not be able to be in the certificate business.

This is actually a good point and there might be a conflict of
interest/requirements for such entities. It makes sense from my point of
view that being such a service provider might be more than problematic.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Rob Stradling

unread,
Mar 13, 2013, 6:42:00 PM3/13/13
to mozilla-dev-s...@lists.mozilla.org
On 13/03/13 22:21, Eddy Nigg wrote:
> On 03/13/2013 07:38 PM, From ch...@soghoian.net:
>> This will likely mean that telecommunications carriers will not be
>> able to be in the certificate business.
>
> This is actually a good point and there might be a conflict of
> interest/requirements for such entities. It makes sense from my point of
> view that being such a service provider might be more than problematic.

Chris, Eddy, just to look at this same issue from another angle...

Verizon (a US telecoms company) acquired Cybertrust a few years ago. Is
it therefore your opinion that Mozilla should kick Cybertrust out of the
root store?

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Eddy Nigg

unread,
Mar 13, 2013, 7:15:29 PM3/13/13
to mozilla-dev-s...@lists.mozilla.org
On 03/14/2013 12:42 AM, From Rob Stradling:
> Verizon (a US telecoms company) acquired Cybertrust a few years ago.
> Is it therefore your opinion that Mozilla should kick Cybertrust out
> of the root store?

The same conflict of interest could potentially exist there too, I don't
know. I'm not saying that Verizon's CA does actively support whatever
laws the telephone business requires. But in principal, if such a
problem exist it doesn't matter really in which corner of the world.

Moudrick M. Dadashov

unread,
Mar 13, 2013, 11:38:09 PM3/13/13
to irene...@teliasonera.com, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org
Pardon me, Irene Krohn, just wonder who needs this propaganda?

I'm personally interested in your today's "achievements" like your
perfectly organized corruption network across the Baltic region, the
network covering almost all state institutions that have more or less
impact on your profit machine.

I'm also interested to learn more about your spying project in Baltics -
TeliaSonera propaganda machine has been deliberately spreading
misleading information and it took us time to know the truth: your
spying system has had nothing to do with telco billing.
For those unfamiliar with the system: this is not a product sold by
TeliaSonera to a government as some of you realize. Under the political
leadership of TeliaSonera central committee in Stockholm the spying
system has been migrating from one hand to another by selling it from
one TeliaSonera controlled "independent business" to another one. The
investigators confirmed terabytes of spying data found in TeliaSonera
controlled premises. And guess what? The investigation ended with
nothing, the prosecutor said the data were collected without any
specific intention.. did I say TeliaSonera's corruption network is one
of the best?

I'm interested to know more about TeliaSonera's European scale project
where you after successfully bankrupting your competitor KPN/QWEST (aka
EUnet International), acquired their assets (fibre rings in Britain, the
Netherlands, Germany, France, a transatlantic fibre link, network
operations centres etc.) for less than one tenth of their actual value.

Please don't take this a curiosity sign, Mozilla's Root inclusion
program REQUIRES
(http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html)
that you publicly disclose information about your policies and ***
business practices *** and before we can talk about your *** business
practices *** I expect you to disclose us your organizational structure.

Just to remind you, TeliaSonera effectively controls tens, if not
hudreds, of "independent" entities in the region. I have no problem with
your ownership, nor I have any problems with the number of these
"independent" businesses. But I've a problem with what these businesses
do. Here is the short list: physical telecommunication lines, leased
lines, Internet backbone, DNS, CAs, Data center, web hosting, VoIP, IP
TV, - you see, the whole infrastructure under the single TeliaSonera
umbrella, oh, yes those are all "independent" entities.

Once again, TeliaSonera is NOT a business in the traditional sense, it
owns and controls an undisclosed infrastructure, therefore there is no
chance to understand your *** business practices *** unless we see your
organizational structure. Please provide more info.

Many thanks in advance.

M.D.

Moudrick M. Dadashov

unread,
Mar 13, 2013, 11:38:09 PM3/13/13
to irene...@teliasonera.com, dev-secur...@lists.mozilla.org, mozilla-dev-s...@lists.mozilla.org

ch...@soghoian.net

unread,
Mar 13, 2013, 11:59:29 PM3/13/13
to

Several years ago, it was revealed that Verizon illegally shared its customers' data with the US National Security Agency. This wasn't "lawful interception" performed as a result of a valid order issued by the FISA court, but rather, was part of the warrantless wiretapping program authorized by President Bush after 9/11.

When sued by EFF and the ACLU (disclosure: my employer, although it happened long before I joined the ACLU), Verizon argued in court that the company had a 1st Amendment free speech right to deliver this data to the government.
See: http://arstechnica.com/tech-policy/2007/05/verizon-says-phone-record-disclosure-is-protected-free-speech/

Verizon has a documented track record in participating and voluntarily facilitating illegal surveillance performed at the nation-state level. We're not taking about one or two illegal wiretap, but a wholesale surveillance program that evaded the judicial system.

So yes, Verizon should not be permitted to be a CA.

However, I recognize that Cybertrust is a major CA used by a number of big websites, and so kicking them out of the CA store with no notice would seriously disrupt the web. Mozilla could give Cybertrust 1 year to either be spun off/sold to someone else, or be kicked out. That would also give Cybertrust's customers plenty of time to find another CA.

Rob Stradling

unread,
Mar 14, 2013, 6:53:26 AM3/14/13
to ch...@soghoian.net, dev-secur...@lists.mozilla.org
Chris, 2 further cases that spring to mind...

Entrust and Blue Coat share the same parent company (Thoma Bravo). Blue
Coat sell lawful interception kit. Would you therefore place Entrust in
the same boat as Cybertrust?

BT (a UK telecoms company) operates a public PKI service using
Subordinate CA certificates issued by Symantec. Do you think Mozilla
should do anything about this?
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

Moudrick M. Dadashov

unread,
Mar 14, 2013, 7:35:12 AM3/14/13
to Rob Stradling, dev-secur...@lists.mozilla.org, ch...@soghoian.net
On 3/14/2013 12:53 PM, Rob Stradling wrote:
> Chris, 2 further cases that spring to mind...
>
> Entrust and Blue Coat share the same parent company (Thoma Bravo).
> Blue Coat sell lawful interception kit. Would you therefore place
> Entrust in the same boat as Cybertrust?
does Thoma Bravo, like TeliaSonera, own/effectively control any network
infrastructure or at least significant part of its critical components?
How much their ownership structure is communication/internet sector
oriented?
>
> BT (a UK telecoms company) operates a public PKI service using
> Subordinate CA certificates issued by Symantec. Do you think Mozilla
> should do anything about this?
Clever solution and obviously quite different approach. I've never heard
BT expanding its PKI business to other countries like TeliaSonera.
TeliaSonera effectively controls an "independent pocket CA" in Estonia
and (unfortunately) Mozilla hasn't done anything with this. Do you know
how far TeliaSonera's has gone with its corruption business model here?

Thanks,
M.D.

>
> On 14/03/13 03:59, ch...@soghoian.net wrote:
>>

Rob Stradling

unread,
Mar 14, 2013, 7:49:33 AM3/14/13
to Moudrick M. Dadashov, dev-secur...@lists.mozilla.org, ch...@soghoian.net
Hi Moudrick.

On 14/03/13 11:35, Moudrick M. Dadashov wrote:
> On 3/14/2013 12:53 PM, Rob Stradling wrote:
>> Chris, 2 further cases that spring to mind...
>>
>> Entrust and Blue Coat share the same parent company (Thoma Bravo).
>> Blue Coat sell lawful interception kit. Would you therefore place
>> Entrust in the same boat as Cybertrust?
> does Thoma Bravo, like TeliaSonera, own/effectively control any network
> infrastructure or at least significant part of its critical components?
> How much their ownership structure is communication/internet sector
> oriented?

I have no idea.

>> BT (a UK telecoms company) operates a public PKI service using
>> Subordinate CA certificates issued by Symantec. Do you think Mozilla
>> should do anything about this?
> Clever solution and obviously quite different approach. I've never heard
> BT expanding its PKI business to other countries like TeliaSonera.
> TeliaSonera effectively controls an "independent pocket CA" in Estonia
> and (unfortunately) Mozilla hasn't done anything with this. Do you know
> how far TeliaSonera's has gone with its corruption business model here?

I only know what I've read in this thread over the last few days.

> Thanks,
> M.D.
>
>>
>> On 14/03/13 03:59, ch...@soghoian.net wrote:
>>>
>>> _______________________________________________
>>> dev-security-policy mailing list
>>> dev-secur...@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
>>>
>>
>
>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

silv...@gmail.com

unread,
Apr 16, 2013, 7:38:57 AM4/16/13
to mozilla-dev-s...@lists.mozilla.org
Being a CA means that people should trust you and your certificates. There is no way ever that I will trust a telecom to become a CA. They assist the authorities in any country they operate in. In most they are obligated by law to give/store certain types of information. They are thus in a unique position of offering the means of secure end to end communication and the key to eavesdrop on those communications.

I'm sorry, they can't have both. They shouldn't.

I'm tired and sick of telecoms providing data lawfully or less so to governments and their agents. In my country (Romania) there are documented cases where the mobile operators would release sensitive data to the police or the information services without court orders (even if the law requires that court orders be issued). No way in Hell would I trust any of those telecoms' certificates should they wish to become CAs

Stick to shifting data Telia. If we can't trust you, you can't be a CA.

Horne, Rob

unread,
Apr 17, 2013, 9:35:10 AM4/17/13
to dev-secur...@lists.mozilla.org
I'm not agreeing or disagreeing with the inclusion request but thought others might like to see the discussion is making the news:

http://www.theregister.co.uk/2013/04/16/mozilla_threatens_teliasonera/

Regards, Rob

jaku...@gmail.com

unread,
Apr 18, 2013, 5:37:42 AM4/18/13
to mozilla-dev-s...@lists.mozilla.org
Has CNNIC paid more to Mozilla? And how about Comodo? How about you simply start using system certificate store like IE and FF and drop this BS once and for all? Long overdue!

Erwann Abalea

unread,
Apr 18, 2013, 8:18:58 AM4/18/13
to
Le jeudi 18 avril 2013 11:37:42 UTC+2, jaku...@gmail.com a écrit :
> Has CNNIC paid more to Mozilla? And how about Comodo?

Nothing is paid to Mozilla. The only prices are for infrastructure, salaries, audits, software, ...

> How about you simply start using system certificate store like IE and FF and drop this BS once and for all? Long overdue!

What are you talking about? This is precisely for integration into FF (FF=Firefox, Mozilla, etc).

Mozilla CA program is public, you're invited to participate. Just be constructive.

jaku...@gmail.com

unread,
Apr 18, 2013, 10:57:28 AM4/18/13
to
Dne čtvrtek, 18. dubna 2013 14:18:58 UTC+2 Erwann Abalea napsal(a):
> What are you talking about? This is precisely for integration into FF (FF=Firefox, Mozilla, etc).

What I am talking about? That you should use *system* certificates store, and drop all the Firefox certificates management crap altogether. Do coding and stop doing politics. Including and trusting (or not) CAs should be left as a task for sysadmins and OS/distribution vendors. No, it is not doable currently with your products, because any centralized management is missing (like, GPO templates.) All the time spend on debating whether Honest Achmed certs (https://bugzilla.mozilla.org/show_bug.cgi?id=647959) should be included or not would *way* better be spent on fixing this ages-lasting missing feature.

But wait - oh yeah, you won't do that, because you love the politics and getting paid by the "trusted" CAs, such as CNNIC, or Comodo, or TeliaSonera, or similar.

(In case it's still not clear, the FF there was a "thinko" (as in "typo), I of course meant IE and *Chrome*, not FF.) BS'o'meter maxed out, sorry.

Ryan Sleevi

unread,
Apr 18, 2013, 11:11:56 AM4/18/13
to jaku...@gmail.com, dev-secur...@lists.mozilla.org
On Thu, April 18, 2013 7:57 am, jaku...@gmail.com wrote:
> Dne Ä tvrtek, 18. dubna 2013 14:18:58 UTC+2 Erwann Abalea napsal(a):
Hi Jakub,

I would also encourage you to be more constructive in tone and content.

I suspect you're not aware of the fact that the vast majority (at this
point, nearly all) Linux distros explicitly rely on the Mozilla root
program and its public, open, and transparent nature as a basis for making
decisions about inclusions.

Further, while you use Chrome as an example, Chrome on iOS, Linux, and
ChromeOS also make explicit use of the Mozilla root program.

Were it not for the high quality, public, and transparent nature of these
root programs, you would find each vendor (including of OSes such as
Firefox OS and ChromeOS) would individually need to make these decisions -
and in a way that may not be transparent or public.

I don't know why you keep suggesting there is payment involved. Mozilla's
root program was one of the first to actually be payment free - prior to
that, most root stores involved fees being paid to the program operator,
the exact situation you're incorrectly and misleadingly implying happens
with Mozilla.

Again, I would encourage you to take a look at how best to be constructive
in these discussions. It's perfectly fine to disagree, and to make that
known, but let's not go off onto random and factually inaccurate attacks.

Regards,

jaku...@gmail.com

unread,
Apr 18, 2013, 11:17:55 AM4/18/13
to jaku...@gmail.com, dev-secur...@lists.mozilla.org, ryan-mozde...@sleevi.com
"High quality, public, and transparent nature"? OH RLY? What's been the "community feedback" wrt CNNIC? What's been the outcome? Made my day, really.

"you would find each vendor (including of OSes such as Firefox OS and ChromeOS) would individually need to make these decisions"

Absolutely no harm done. Once again, plop whatever you find fit into *system* certificates store and let users/admin manage that. *Centrally*. Not deal with each damned certificate in every browser/mail client/whatever else they have installed. Not sustainable at all. Per-application CAs management is absolutely obnoxious waste of time.

gregm...@rogers.com

unread,
Apr 19, 2013, 6:42:22 PM4/19/13