HackerTrans
TopNewTrendsCommentsPastAskShowJobs

charleyablaze

no profile record

Submissions

13 days before the first eIDAS vote, still no public text

last-chance-for-eidas.org
54 points·by charleyablaze·vor 3 Jahren·18 comments

EU's concealment of secret 'expert list' on CSAM regulation is maladministration

iccl.ie
397 points·by charleyablaze·vor 3 Jahren·199 comments

What the QWAC? An EV Certificate all over again

scotthelme.co.uk
165 points·by charleyablaze·vor 3 Jahren·82 comments

Concerns about Trustcor CA

groups.google.com
12 points·by charleyablaze·vor 4 Jahren·0 comments

comments

charleyablaze
·vor 3 Jahren·discuss
Extract:

There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.

In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.
charleyablaze
·vor 3 Jahren·discuss
The secret text of Article 45:

> I have access to the near-final text of the regulation, which is not yet public, but was leaked to me by a confidential source.

‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV; Evaluation of compliance with those requirements shall be carried out in accordance with the standards and the specifications referred to in paragraph 3.

Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers. Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1

Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.

1. Web-browsers shall not take any measures contrary to their obligations set out in Art 45, notably the requirement to recognise Qualified Certificates for Web Authentication, and to display the identity data provided in a user friendly manner.

2. By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates

3. Where measures are taken, web-browsers shall notify their concerns in writing without undue delay, jointly with a description of the measures taken to mitigate those concerns, to the Commission, the competent supervisory authority, the entity to whom the certificate was issued and to the qualified trust service provider that issued that certificate or set of certificates. Upon receipt of such a notification, the competent supervisory authority shall issue an acknowledgement of receipt to the web-browser in question.

4. The competent supervisory authority shall consider the issues raised in the notification in accordance with Article 17(3)(c). When the outcome of that investigation does not result in the withdrawal of the qualified status of the certificate(s), the supervisory authority shall inform the web-browser accordingly and request it to put an end to the precautionary measures referred to in paragraph 2.

There is also recital text which I did not copy.
charleyablaze
·vor 3 Jahren·discuss
Scott Helme has leaked the secret text of Article 45! (scroll down)

https://scotthelme.co.uk/what-the-qwac/
charleyablaze
·vor 3 Jahren·discuss
This prevents governments, ISPs, etc from identifying which websites people are visiting and censoring their connections. Firefox are enabling it by default.
charleyablaze
·vor 3 Jahren·discuss
Previous discussion from Cloudflare's launch: https://news.ycombinator.com/item?id=37703885
charleyablaze
·vor 4 Jahren·discuss
These are the references that Mozilla listed:

"[6] The identical corporate officers were acknowledged in Rachel McPherson’s initial response and confirmed in a company document submitted privately by Rachel to Mozilla.

[7] Ian Abramowitz is described as the CFO of TrustCor on their website and Rachel McPherson’s initial response notes “They are strictly passive investors, with the exception of Ian Abramowitz”. In a company document submitted privately by Rachel to Mozilla, Ian Abramowitz signs an agreement with TrustCor on behalf of both CHIVALRIC HOLDING COMPANY LLC and FRIGATE BAY HOLDINGS LLC."
charleyablaze
·vor 4 Jahren·discuss
My read is that Mozilla were much more concerned about the shared ownership and operations with Measurement System, than the presence of the malware. I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
charleyablaze
·vor 4 Jahren·discuss
I agree there was a lot of mud slinging in that thread, but this is the key bit from Mozilla's response, supported by statements which Trustcor haven't disagreed with:

> Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.

It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
charleyablaze
·vor 4 Jahren·discuss
Followed up yesterday with:

"Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.

[...]

Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s Root Program outweighs the benefits to end users.

In line with our earlier communication, we intend to take the following actions:

    1. Set “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 30, 2022, for the 3 TrustCor root certificates (TrustCor RootCert CA-1, TrustCor ECA-1, TrustCor RootCert CA-2) that are currently included in Mozilla’s root store.
    2. Remove those root certificates from Mozilla’s root store after the existing end-entity TLS certificates have expired."
charleyablaze
·vor 4 Jahren·discuss
> And from Mozilla "I tend to agree at this point that discussing the merits of the claims might be superfluous, because the conduct of the CA's representative is a more urgent issue [...]"

This comment was made by Filippo Valsorda, previously engineer at Google now independent, not Mozilla.

edit: my bad, I didn't know Filippo had left.
charleyablaze
·vor 4 Jahren·discuss
I agree there was a lot of mud slinging in that thread, but this is the key bit from Mozilla's response, supported by statements which Trustcor haven't disagreed with:

> Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.

It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
charleyablaze
·vor 4 Jahren·discuss
Discussion and response on Mozilla's dev-security-policy list:

https://groups.google.com/a/mozilla.org/g/dev-security-polic...