Visa has filed a bug [1] requesting removal of the eCommerce root from the Mozilla root store. Visa has also responded to the information requested in the qualified audits bug [2], but it's unclear if or when they will respond to the issues list presented in this thread. Two weeks have passed since I posted the issues list, and I see no reason to delay the complete distrust of Visa's eCommerce root. That is likely to happen in Firefox 64 [3] via removal of the root from NSS version 3.40 . Visa is still welcome to respond to the issues list, but I think the removal of Visa's only included root, and thus Visa, from the Mozilla CA Certificate Program implies that this discussion has reached a conclusion.
- Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1493822 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c2 [3] https://wiki.mozilla.org/Release_Management/Calendar On Sun, Sep 23, 2018 at 1:15 PM Ryan Sleevi <r...@sleevi.com> wrote: > > > On Thu, Sep 13, 2018 at 3:26 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Visa recently delivered new qualified audit reports for their eCommerce >> Root that is included in the Mozilla program. I opened a bug [1] and >> requested an incident report from Visa. >> >> Visa was also the subject of a thread [2] earlier this year in which I >> stated that I would look into some of the concerns that were raised. I've >> done that and have compiled the following issues list: >> >> https://wiki.mozilla.org/CA:Visa_Issues >> >> While I have attempted to make this list as complete, accurate, and >> factual >> as possible, it may be updated as more information is received from Visa >> and the community. >> >> I would like to request that a representative from Visa engage in this >> discussion and provide responses to these issues. >> >> - Wayne >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 >> [2] >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/NNV3zvX43vE/ns8UUwp8BgAJ > > > I've not seen Visa engage in this discussion. The silence is rather > deafening, and arguably unacceptably so. > > With respect to the Qualified Audit, Visa's response as to the substance > of the issue is particularly unsettling. > https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c3 demonstrates that > they've not actually remediated the qualification, that they've further > failed to meet the BRs requirements on revocations by any reasonable > perspective, and they don't even have a plan yet to remedy this issue. > > Examining the bug itself is fairly disturbing, and the responses likely > reveal further BR violations. For example, the inability to obtain evidence > of domain validation information reveals that there are further issues with > 2-7.3 - namely, maintaining those logs for 7 years. The response to 2-7.3 > suggests that there are likely more endemic issues around the issuance. > > Given the past issues, the recently identified issues (that appear to have > been longstanding), and the new issues that Visa's PKI Policy team is > actively engaging in, I believe it would be appropriate and necessary to > consider removing trust in this CA. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
