Mozilla is taking the first step toward denying a request by United Arab Emirates-based DarkMatter to be included as a top-level certificate authority in Mozilla’s root certificate program.
A subordinate certificate authority (CA) under QuoVadis, now part of DigiCert (the CA that acquired Symantec’s certificate business), DarkMatter filed a request to add its root to Mozilla products back in December 2017, and the request has been under review ever since.
Earlier this year, Mozilla asked the community to share thoughts on the proper course of action regarding DarkMatter, citing several press articles suggesting that the UAE-based company has been engaged in broad cyber-espionage activities.
Many of those involved in the discussion raised concerns that the organization might abuse its position as a trusted CA to engage into cyber-espionage operations.
Four months after the discussion was opened, Wayne Thayer, Certification Authority Program Manager at Mozilla, recommended that this inclusion request be denied, noting that DarkMatter cannot be trusted and that users’ safety should be the top most priority for Mozilla.
“Some, including DarkMatter representatives, have declared the need to examine and consider the benefits of having DarkMatter as a trusted CA. However, last year we changed our policy to replace the weighing of benefits and risks with ‘based on the risks of such inclusion to typical users of our products’,” Thayer notes.
He also points out that, over the years, four different articles published by known news outlets have provided indication that DarkMatter is engaged in shady activities that might put Mozilla’s users at risk.
“If we assume for a second that these allegations are true, then there is still a sincere debate over what role they should play in our decision to trust DarkMatter as a CA. The argument for considering these allegations is akin to the saying ‘where there’s smoke there’s fire’, while the argument against can be described as ‘innocent until proven guilty’,” Thayer says.
He also responded to DarkMatter’s claim that a rebranding effort is underway, which will result in the CA subsidiary being completely and wholly separate from the DarkMatter Group. However, with DarkMatter transitioning all CA business to DigitalTrust, which is controlled by the individual who owns the DarkMatter Group, these organizations might not be able to operate independently, he notes.
On top of that, Thayer points out that Mozilla’s principles to protect users’ security and privacy and include CA certificates in the root program ‘based on the risks of such inclusion to typical users’ should be at the heart of this decision.
“I believe this framing strongly supports a decision to revoke trust in DarkMatter’s intermediate certificates. While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users,” Thayer says.
“I will be opening a bug requesting the distrust of DarkMatter’s subordinate CAs pending Kathleen’s concurrence. I will also recommend denial of the pending inclusion request, and any new requests from DigitalTrust,” he continues.