On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg <jonat...@titanous.com> wrote:
> > > On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In the light of this, I believe it is reasonable to discuss the question > > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > > https://crt.sh/?id=896972 , which is the one includes in our store) > > meets the criteria for inclusion in Mozilla's Root Store Policy, and > > whether it is appropriate for them to continue to hold public trust. > > Your comments are welcome. > > I don’t think this issue ever got a conclusion. It is clear to me that > Visa should be removed from the Mozilla root program immediately. > > We did reach a conclusion on the original question that Gerv raised in this thread: does Visa meet the following requirement from section 2.1 of the Mozilla root store policy: CAs whose certificates are included in Mozilla's root program MUST provide some service relevant to typical users of our software products. In the thread on this list titled "Updating Root Inclusion Criteria" it was decided that we will not attempt to restrict organizations from participating in the Mozilla CA program based on a judgement of their value to our users. Visa has been extremely unresponsive in general. The most recent case was > their non-compliant OCSP responder: https://bugzilla.mozilla.org/s > how_bug.cgi?id=1398261 > > It took them five months to fix the problem, and there is still no > incident report. > > Correct. Would a representative from Visa care to comment on this? In their response to January CA Communication Action 2 (about insecure > domain validation methods), they did not provide a comment response, but > selected the option indicating they were using these vulnerable methods and > required a date for an update in the comment field: > > > We have active (not expired or revoked) certificates issued using these > methods. We will review our implementation for vulnerabilities and report > our findings on the mozilla.dev.security.policy list by the date specified > in the comments section below. > > Good point. I would appreciate a response from a Visa representative with the date by which these findings will be reported. > There are currently only 90 unexpired certificates issued by this CA known > to CT: https://crt.sh/?Identity=%25&iCAID=1414&exclude=expired (last time > we looked, there were only 27 and two were revoked) > > Additionally, the telemetry shows an extremely small number of validations. > > It’s not clear to me from their responses whether they are even currently > BR-compliant, and as of September 13, 2017 it seems like they weren’t: > > > Regarding BR compliance, we completed our initial BR audit in September > of 2016. Since that time, we have been addressing the observations noted > by our external auditors. This also would encompass any certificate issues > that have been publically reported. Understanding that such changes in > adopting a new process will have business impact, it is difficult to > provide an accurate timeline of complete compliance as we are required to > assess the impact to our client and payment systems to avoid any > operational impact. We are committed to aligning with BR and Mozilla > requirements as we have continuously move forward in making the necessary > changes . > > The most recent BR audit report for the Visa eCommerce Root contains 3 qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf Given all this, I don’t think there is a lot of risk to Mozilla’s users > with no benefit if Visa continues to be included in the root program. > > Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
