Request: Distrust Staat der Nederlanden CA
Reported by
mhaa...@gmail.com,
Nov 1 2017
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.105 Safari/537.36 Vivaldi/1.92.917.43 Steps to reproduce the problem: 1. Accept default trusted certificates. What is the expected behavior? Revoke trust for Staat der Nederlanden CA. Allowing the Ministry of Interior and Kingdom Relations to continue operating a trusted CA in a country hosting a major Internet transit point would be detrimental to the security of all Chrom(e)/(ium) Users. What went wrong? Became vulnerable to MitM attacks. The new "Wet op de inlichtingen- en veiligheidsdiensten (Wiv)" (Law for intelligence and security services) has been accepted by the Dutch Government. Provisions authorizing new powers for the dutch intelligence and security services will become active starting January 1st, 2018. This revision of the law will authorize intelligence and security to intercept and analyze cable-bound (Internet) traffic, and will include far-reaching authorizations, including covert technical attacks, to facilitate their access to encrypted traffic. Article 45 1.b, explicitly authorizes the use of "false keys" in third party systems to obtain access to systems and data. The continued inclusion of the "Staat der Nederlanden" Certificate Authority, which is operated by PKIOverheid / Logius, a division of the Ministry of Interior and Kingdom Relations-- the same ministry under which the AIVD intelligence service operates-- in Mozilla products is therefore no longer appropriate. The full text of the law may be found here https://www.aivd.nl/binaries/aivd_nl/documenten/kamerstukken/2017/08/17/publicatie-in-staatsblad-van-wiv-2017/20170817+Publicatie+Wiv+2017+in+Staatsblad.pdf Did this work before? N/A Chrome version: 60.0.3112.105 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 27.0 r0 This was also reported to the Mozilla Team which can be seen at https://bugzilla.mozilla.org/show_bug.cgi?id=1408647.
,
Nov 1 2017
,
Nov 2 2017
As per comment #1, as this is marked as Feature request, changing the status to 'Untriaged' for further updates from Dev. Thanks..
,
Nov 2 2017
Thank you for filing this bug. At this time, there is zero evidence to indicate that this CA is operating in a way that is inconsistent with our standards or policies. We have seen the bug you've filed against other root programs, and are satisfied with both the response, as well as the current independent demonstration of compliance. Further, as this CA has voluntarily stepped up to disclose everything via Certificate Transparency, we can objectively demonstrate whether or not the CA violates the relevant standards, rather than speculate. Unless and until such evidence is presented, then on the basis of the currently available information, this CA meets our current requirements. |
||||
►
Sign in to add a comment |
||||
Comment 1 by elawrence@chromium.org
, Nov 1 2017Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Feature
Summary: Request: Distrust Staat der Nederlanden CA (was: Logius: Staat der Nederlanden CA trust issue (WiV))