In https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 , as part of their comments on a report of BR-non-compliant certificate issuance, a representative of VISA said the following:
"I would like to share with you some details regarding our PKI System and our position within the CA/Browser Forum. Visa is one of the oldest operating Certificate Authorities and is currently a non-voting member within the CA/Browser Forum. Visa has been operating a closed PKI system prior to the inception of the Baseline Requirements, which we had a number of legacy processes for the issuance and fulfillment of our certificates to our clients. Certificates that are issued by Visa public CA’s are issued only to our clients for interconnectivity purposes. Unlike other CA’s and particularly those that have undergone your Blink Process, our core business is not PKI. The certificates that were impacted with the noted issues were not issued erroneously to a bad actor(s) nor do we issue certificates to the open public. Due to our unique PKI system, we are not at liberty to divulge with the public our list of impacted clients and their certificates without our Legals' consent. Regarding BR compliance, we completed our initial BR audit in September of 2016. Since that time, we have been addressing the observations noted by our external auditors. This also would encompass any certificate issues that have been publically reported. Understanding that such changes in adopting a new process will have business impact, it is difficult to provide an accurate timeline of complete compliance as we are required to assess the impact to our client and payment systems to avoid any operational impact. We are committed to aligning with BR and Mozilla requirements as we have continuously move forward in making the necessary changes." From the above, we see that Visa only issues certificates to their own customers/clients, and not to the public. They believe that this permits them to keep confidential details of the certificates which they wish to have public trust. The Mozilla Root Store Policy, section 2.1, states: "2.1 CA Operations. CAs whose certificates are included in Mozilla's root program MUST: 1) provide some service relevant to typical users of our software products; ..." My memory suggests to me that this clause is normally understood to preclude the inclusion of companies who wish to only issue certificates to themselves and their customers. We also see that they are unable to provide a timeline for full BR compliance. This is despite various assurances of current compliance to Mozilla policies (and thereby the BRs) in various CA communications, such as April 2017 and March 2016. In the light of this, I believe it is reasonable to discuss the question of whether Visa's PKI (and, specifically, the VISA eCommerce Root, https://crt.sh/?id=896972 , which is the one includes in our store) meets the criteria for inclusion in Mozilla's Root Store Policy, and whether it is appropriate for them to continue to hold public trust. Your comments are welcome. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
