I agree that Kathleen’s response (tone, articulation, scope) was on point. Objectively, it does become hard to justify the value of a CA when there’s a mob of people questioning the value. In a very raw sense, this is probably the most user-centric outcome. So I will sleep on that.
But in a process sense, I am left wanting. I still don’t know what damage was done and why TrustCor CA got this special treatment in the first place in any way material to their CA issuing business, which they appeared to put great effort into operating by the books.
My read is that Mozilla were much more concerned about the shared ownership and operations with Measurement System, than the presence of the malware. I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
I do agree that we shouldn’t allow something that overt.
But, if I read correctly, Rachel claimed that there was no longer any shared ownership and tried to explain that ownership in the sense that the word was being use was not a correct term in the first place. I believe she said it was a shared incorporation services / legal council / investor, at most, and that the speculation as to that relationship conferring any authority pertaining to the CA’s operations was entirely incorrect since the executive authority had long since been signed over to actual company officers.
I read the full thread (except for paragraphs where she pasted from previous responses).
She failed to reasonably and convincingly refute some allegations. There were repeated requests to provide information, some of which would be trivial to produce if acting in good faith.
After reading the exchange, I (as a reasonable bystander with no material interest in either side):
* Don't understand the relationship between TrustCor and the malware distributor in a clear way that company ownership records would provide
* Take it as a false statement that the mail service doesn't have apps, as its website advertises them
* Don't understand how their auditor audited them when they don't appear to have a presence in Canada that would be factual based on the extracts from the auditor findings
Unrelated to her responses, I could take in on faith that a rogue developer added spyware from a company with the same owners, but the finding that the payloads were send to TrustCor servers diminish the acceptance that sufficient controls exist in the company to not question the security of them as a CA.
Re: your last point: I find it especially concerning that all the questions about TrustCor's apparently compromised server were answered with, "MsgSafe's and TrustCor CA's infrastructure is separate". The concern was that TrustCor's practices led to their servers being compromised, which isn't a great sign for a company which operates a CA, even though it wasn't the CA servers themselves which were compromised. Nothing Rachel wrote indicated that the CA servers are operated in a more secure way than the MsgSafe servers, nor that they have changed any practices in response to the compromise.
"no longer any shared ownership" was asserted, but never backed up because (it was claimed) issues with getting legal documents updated in a timely fashion.
Combining that with basic questions about how exactly ownership changed that were never answered and instead obfuscated behind reams of "nothing speak".
The final basis for the determination seems to be that the main loss of from distrusting the TrustCor CA was thier sibling company's private email service that is, at best, advertising itself under a very shady definition of E2EE.
Thus this seems like an easy decision to me.
The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
>The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
...Which in essence means CA's probably shouldn't exist as a standalone thing, and everyone should learn to build their own trust networks. None of this vouch nonsense, or Trust theater.
But she never said who actually owned these companies or how they were related, and said doing so would lead to tax problems. That was rather suspicious.
I have no problem saying that if your ownership structure is such that your lawyers or accountants have advised you not to reveal it publicly, you should not be in the CA business.
Apple runs a bunch of crap through a tax loophole in Ireland. Should they be trusted running the entire mobile ecosystem that underpins all of this in the first place? I actually agree that shady companies shouldn't be swept under the rug. But I don't agree with the hypocrisy of singling out some random CA for doing things that most every other company out there does because we lack the backbone as a society to put a stop to the shadiness.
If they are transparent about what they're doing, then it's not the same case I was talking about.
I can't see Apple saying "Well, on advice of our lawyers we can't actually explain our corporate structure to you." Is it a secret that they have a corporate entity in Ireland, is it a secret what they do with it? Or is it public knowledge that they don't hide?
So I wouldn't describe secret ownership structures as a thing "most every company out there does." But I'm not going to say Apple doesn't do unethical things. (Also is Apple even a trusted root CA for mozilla or microsoft browsers?)
I think non-transparency is an even higher level of problem for a CA. Secrecy about your corporate structure does not seem okay for a CA -- we need to know who they are and who controls them, non-negotiably. Secrecy of corporate structure does not seem like a thing most every company (or every CA) out there does.
But it's quite possible Apple should _not_ be trusted to "run the entire mobile ecosystem" that uses Apple products. You can make that argument. And we can talk about what the heck any of us can do about it individually or collectively if so. That's a different question than who should be allowed as a trusted CA root, or who Mozilla or Microsoft should allow as a trusted CA root.
When you say "that underpins all of this in the first place", I'm not sure what you mean; Mozilla and Microsoft trusted CA roots effect people who aren't doing anything with Apple products, Apple does not in fact "underpin" the entire SSL CA system in the first place. I don't know what to do about the Apple ecosystem if Apple can't be trusted, but I support Mozilla, Microsoft, or anyone else removing trusted CA roots belonging to companies with secretive corporate structures, ownership, or governance. All of this can be true. Apple doing unethical things doesn't mean mozilla or microsoft should allow a trusted root CA with secretive corporate ownership structure.
Sure. The Apple stuff is just an example, I don't mean to suggest they're a CA, but they are trusted to ship the list of CAs that you trust to your devices as are MS and Mozilla, so the exact same question of "should we trust them if they are a corporation of questionable ethics that do the same sort of tax things" exists and is apropos. Why is there a double standard? I find it rather inconsistent that we're going after some "shady" CA for essentially not being forthcoming in response to allegations that they consider false and have no duty to set straight without material proof that the allegations are to be taken seriously, and who look to be the target of a journalistic smear campaign involving forming similarly named corporate entities in the US to try and extract private information about the company via extrajudicial means. I mean why stop with TrustCor? Let's deploy the arsenal! Let's examine the interests of all parties funding all of the systems we trust in society. Seriously. If we're going to give a shit about something why is it some CA nobody's heard of where there is absolutely zero evidence of non-compliance with the required CA processes? Why spend effort on this? It's hardly news that companies try to minimize tax liability by structuring themselves in advantageous ways. What, pray, is a hallmark of a trustworthy company? Perhaps the public should vote on CA inclusion in the root trust list. Fuck the CA oligarchy.
To be honest, it sounded like Rachel herself did not know exactly how the company ownership was structured. It seemed obvious that it was a US company that incorporated abroad for some reason, and that alone is pretty sketchy. It looks like they are trying to hide who actually controls the company. That alone should be reason not to trust them.
It's not a strawman. Literally we're saying "you see TrustCor CA didn't do anything wrong by the books, but we can't trust them anymore because they can't articulate their corporate structure on demand after scandalous allegations". Well, I simply ask people to consider how any other corporation in the same situation would response. My bet is they'd also be less than forthcoming. And my example is Apple, who we know exploits tax loopholes via complex corporate governance structures, who everyone seems okay with trusting. It just doesn't make sense to me.
Apple is a public company and it's very clear who owns and who controls the company. They're a multinational company that consists of multiple legal entities, and it's generally not a secret who you are doing business with.
TrustCor is a company that looks like a front for a Spyware maker, and when asked about that they say: "It's not like you think, but we don't want to tell you what the actual situation is, so you'll have to trust us, it's fine! Also the spyware we were caught distributing is totally not our fault, it's from a contractor in a completely different business unit and is totally independent from our CA business, but again we can't tell you more because it is secret. But trust us, the CA business is completely legit. And the sketchy things you found were all the idea of a guy who passed away recently, so we unfortunately can't ask him why he did it, but it's all legit don't worry trust us."
> I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
Playing devil's advocate: Why not? I mean yes, obviously if you end up in jail that might interfere with your ability to operate a CA (or any company for that matter). But barring that, as long as they haven't done anything to affect the security or proper operation of the CA certificate itself, why is that a basis for removing them from root stores? To the best of my knowledge this action is unprecedented.
> can you trust an entity in one context when they have proven themselves untrustworthy in another
We do that all the time. If, rather than TrustCor being associated with a company making malware we'd instead found out the company's CEO had cheated on his wife, would that be grounds for removing them from the root certificate store? Context matters.
Why the ad hominem attack and call security researchers, professors, professionals and employees from Apple, Mozilla and Google "mob"?
"TrustCor CA got this special treatment"
I'm not a regular on that mailing list, any source that this is special treatment and other CA that are spyware software and snakeoil encryption software creators etc. are treated differently?
There is no ad hominem attack. And, I mean find me a company on the global stage that isn't optimizing taxes using offshore holding companies. If that's too shady to be allowed for a CA, then we shouldn't allow Apple to do it either.
The security BS was being sold by a sibling company, heck, the person responding is a high up in both companies. And there is a lot of evidence of them being connected to the malware vendor.
If they can't rebut those concerns/connections in a clear and convincing way, they have no business being a CA. If you are satisfied with the answers, more power to you, but I honestly don't know how you could be after reading through those emails.
It's frustrating because you're just repeating the same drivel other people who don't have the situation straight are. Nobody related to TrustCor CA is connected to a malware company. That's factually incorrect. They are connected to an email privacy company which offers E2EE email but which, for product reasons, doesn't enable it as the default when you create a new account. The alleged malware company and the email company were historically related when they were born because they shared an investor. But that is no longer the case.
No, the person asserted that they aren't connected, and then offered lots of words about how they aren't connected, without actual good explanations as to why we should believe that assertion.
So, what you are saying is that they just happened to have the same investor, the malicious developer that they say worked for them just happened to include malware from that company (Unobfuscated, unlike every other example available), said developer was able to route traffic through the company domains, just happened to have identical corporate officers, and just happened to be related to a company that brags about being able to bypass SSL?
Let's just say that there is enough there they better have a very clear explanation about it, and instead they just deflecting deflecting deflecting or refusing to answer. I'm sorry it is bad for their business (assuming they actually are innocent of all this), but that is not an appropriate response for a CA when someone is asking legitimate questions based on legitimate suspicion from what would have to the world's worst series of coincidences.
Whenever you push that false TrustCor narrative, I will answer with the question that has not been answered: Why did TrustCor have the source code of the spy ware no-one had?
But in a process sense, I am left wanting. I still don’t know what damage was done and why TrustCor CA got this special treatment in the first place in any way material to their CA issuing business, which they appeared to put great effort into operating by the books.