Many of us were at some point trained to look for a padlock in our web browser’s location bar to make sure a web site we’re visiting is secure, even though it lulls us into what some have called a "false sense of security". Few understand what powers the padlock. Contrary to what you’ve heard, it’s not just about encryption to protect your data transmission, it’s also about identification of the site you’re visiting, to know they are who they say they are. In the last few hours of November, the Mozilla CA Certificate Program (along with Microsoft’s similar program) made an unprecedented public policy decision that impacts how all of us browse the Internet and secure our communications. For them, it was seen as just another removal of a Certificate Authority from their list of hundreds of trusted organizations allowed to designate the "they are who they say they are" part. For everyone else, it signalled a disturbing shift in behaviour where a trusted organization is not removed on the basis of misbehaviour, policy violations, mis-issuance, change of control, or discoveries from accredited 3rd party auditors—but rather on the basis of rumour and innuendo submitted by a start-up company who benefits from the press whether or not their intrigue is justified. In our case, the startup company got it wrong—but the public struggled to read enough to understand why. TL;DR. A short response to the decision with minor background is below, and will be replaced over the coming days with a longer background, for those who wish to read it.
We strongly disagree with Mozilla’s summary of findings, which essentially ignores contradictory information we had already provided in response to their "fact finding" process. A process which itself was less about finding facts and more like a public interrogation held in a town square. There are signs the reviewers did not even fully absorb the information we provided. In part because many public contributions to the discussion contained responses like "too long, didn’t read" ("tl;dr" in Internet-speak). Also in part because the reviewers themselves demonstrate an odd muck rack bias and may lack the professional background needed to understand the answers. This is why accredited auditors are normally relied-upon for these purposes, and for the sheer requirement to validate the hundreds of trusted Certificate Authorities at least annually.
In particular, we stand by our word that the defense company mentioned and TrustCor have never shared corporate officers, operational control or technical integrations. As we disclosed before, the only connection we shared was a common group of investment funds. That does not mean a common investor—that means standalone legal entities with multiple investments and multiple investors represented within them. (A condition shared by multiple root program member CAs already). Potentially, the same investors they claim to be problematic could as easily be invested in a number of other program member CAs that were not dragged into this process. In fact, if you contribute to a retirement or pension fund, you may also be related to them.
Additionally, TrustCor has never cooperated with information requests from the US Government or any government for that matter. Likewise, we have never assisted or enabled any company or 3rd party to surveil, monitor or in any way gather information on our customers for any purpose. It may also come as a surprise that other root program members in "good" standing are in fact international governments, and some are also defense companies, or companies who are wholly-owned by defense companies and/or state-owned enterprises, meaning "businesses" that are completely owned or controlled by governments. Further, some of those governments are not free/democratic and in fact some have tragic modern histories of basic human rights violations. We are none of those things and our company does not identify with those values. However in our case, the very possibility that we’ve had a fund invest in us that had as one of its investors (again 2 parts removed) someone who has been affiliated with the defense industry in another country is reason enough?
The statements that were made against us not only lack truth, but they go against the founding principles and culture of our company. They dishonour our entire staff who have worked hard every day for nearly 10 years to provide security to the community, for which we have an unmatched and unblemished track record. Becoming a CA is no easy endeavour, TrustCor went through the same rigorous vetting that every CA has to go through. There is no blanket level of trust, and each browser root program works independently from each other with their own set of inclusion rules and processes. This step alone took us over 6 years to accomplish, during time which we went through extensive annual WebTrust audits, and patiently waited for the much needed "global acceptance" to kick-start our business and provide true value to the community.
It’s important to note that the general consensus across all browser root programs were clear on one significant fact: There has been no evidence or speculation that TrustCor has ever mis-issued any certificates or mishandled any key material. We believe, based on that important fact alone, Mozilla's and Microsoft's decision to distrust TrustCor's roots on the sole unsubstantiated belief of a mere "former affiliation", through "shareholders of shareholders" (2 degrees of separation) with another company, sets a new precedent for the industry. To our knowledge, this is the first time a public-trusted CA has been distrusted for reasons completely unrelated to the security or operations of the CA itself.
Does this disappointing news signal a departure from what was once a well-established system of controls? Or, does it simply cast another shadow on the stark reality that it was never a well-established system of controls, but rather a makeshift hack put into place by Netscape and a fast-moving, well-intentioned world-wide CA Community that was never meant to stand the test of time? Either way, it certainly casts doubt on this community’s ability to regulate itself fairly and impartially, which are some of the tenants of any trustworthy system of controls.
Last updated: 2022-12-02