[tor-bugs] #29628 [Applications/Tor Browser]: Distrust DarkMatter Intermediate CAs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 1 19:00:03 UTC 2019
#29628: Distrust DarkMatter Intermediate CAs
--------------------------------------+--------------------------
Reporter: nsuchy | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by sysrqb):
* priority: Immediate => Medium
* severity: Critical => Major
Comment:
You may find the entire thread discussing this topic enlightening. I am
personally in support of Mozilla denying the root inclusion request and
revoking their intermediate CA certificate. However, as it was said
numerous times in the discussion thread, the only reason we know
DarkMatter have these CA certificates is because they applied for root
inclusion - in a public forum. It is very easy for a malicious
organization to obtain an intermediate CA certificate without that
certificate being attributable to them. As far as anyone knows (publicly),
DarkMatter haven't used their current Intermediate CA with malicious
intent, yet(!). If DarkMatter use their CA for malicious purpose in the
future and that malicious activity is detected, then their intermediate CA
certificate should be revoked by DigiCert (and therefore they lose their
trusted position globally). The current question is whether Mozilla should
pre-emptively revoke DarkMatter's Intermediate certificate and reject
their current root.
The Tor Project isn't in a position where we can successfully audit all
anchor and intermediate CAs included in Mozilla's root store. And, even if
we could, we likely wouldn't be able to maintain that long-term. We can
distrust DarkMatter's current intermediate, but given the previous
statement about how Intermediate CAs certificates can be obtained
relatively easily under alternative-names, I don't know if this is a
winning solution. In reality, distrusting one intermediate CA is likely
pointless, other than making a political statement.
I'll leave this open, in case anyone else on the team has more input here.
https://groups.google.com/d/msg/mozilla.dev.security.policy/nnLVNfqgz7g/YiybcXciBQAJ
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29628#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list