On Tuesday, September 19, 2017 at 10:13:26 AM UTC-5, Gervase Markham wrote:
> >From the above, we see that Visa only issues certificates to their own > customers/clients, and not to the public. They believe that this permits > them to keep confidential details of the certificates which they wish to > have public trust. The overall question of whether they should be issuing special use certificates from a publicly trusted CA is worthwhile, but I wonder whether the point about disclosure / confidential details of certificate issuance isn't practically mooted by the anticipated requirement that from April of next year, leaf certificates from included public CAs will require SCT proofs in order to be trusted by the (currently) largest market share browser? (And presumably the other browsers will likely follow suit similarly?) The other matters in discussion regarding this root hierarchy almost certainly do merit some attention. It sounds like VISA is generally using this between software and hardware elements of an intranet / extranet nature between the VISA organization and partner banking institutions and their service providers. What interest of theirs is served by being included in public trust stores? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy