On Fri, Sep 28, 2018 at 12:29 PM Eric Mill <e...@konklone.com> wrote:
> > > On Thu, Sep 27, 2018 at 5:22 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Visa has filed a bug [1] requesting removal of the eCommerce root from the >> Mozilla root store. Visa has also responded to the information requested >> in >> the qualified audits bug [2], but it's unclear if or when they will >> respond >> to the issues list presented in this thread. Two weeks have passed since I >> posted the issues list, and I see no reason to delay the complete distrust >> of Visa's eCommerce root. That is likely to happen in Firefox 64 [3] via >> removal of the root from NSS version 3.40 . Visa is still welcome to >> respond to the issues list, but I think the removal of Visa's only >> included >> root, and thus Visa, from the Mozilla CA Certificate Program implies that >> this discussion has reached a conclusion. >> > > Visa also stated in their removal bug: > > "Visa’s plan is to remove the SHA1 root and introduce a new SHA2 and ECC > root." > > Were Visa to apply to the Mozilla program with one or more new roots, > would those be new discussions, or would that cause this discussion about > Visa's history of issues to be re-opened? > > It would be a new discussion in which I think it is safe to assume that Visa's prior issues would be considered, as well as their response (if any) to this discussion. -- Eric > > >> >> - Wayne >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1493822 >> [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c2 >> [3] https://wiki.mozilla.org/Release_Management/Calendar >> >> On Sun, Sep 23, 2018 at 1:15 PM Ryan Sleevi <r...@sleevi.com> wrote: >> >> > >> > >> > On Thu, Sep 13, 2018 at 3:26 PM Wayne Thayer via dev-security-policy < >> > dev-security-policy@lists.mozilla.org> wrote: >> > >> >> Visa recently delivered new qualified audit reports for their eCommerce >> >> Root that is included in the Mozilla program. I opened a bug [1] and >> >> requested an incident report from Visa. >> >> >> >> Visa was also the subject of a thread [2] earlier this year in which I >> >> stated that I would look into some of the concerns that were raised. >> I've >> >> done that and have compiled the following issues list: >> >> >> >> https://wiki.mozilla.org/CA:Visa_Issues >> >> >> >> While I have attempted to make this list as complete, accurate, and >> >> factual >> >> as possible, it may be updated as more information is received from >> Visa >> >> and the community. >> >> >> >> I would like to request that a representative from Visa engage in this >> >> discussion and provide responses to these issues. >> >> >> >> - Wayne >> >> >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 >> >> [2] >> >> >> >> >> https://groups.google.com/d/msg/mozilla.dev.security.policy/NNV3zvX43vE/ns8UUwp8BgAJ >> > >> > >> > I've not seen Visa engage in this discussion. The silence is rather >> > deafening, and arguably unacceptably so. >> > >> > With respect to the Qualified Audit, Visa's response as to the substance >> > of the issue is particularly unsettling. >> > https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c3 demonstrates >> that >> > they've not actually remediated the qualification, that they've further >> > failed to meet the BRs requirements on revocations by any reasonable >> > perspective, and they don't even have a plan yet to remedy this issue. >> > >> > Examining the bug itself is fairly disturbing, and the responses likely >> > reveal further BR violations. For example, the inability to obtain >> evidence >> > of domain validation information reveals that there are further issues >> with >> > 2-7.3 - namely, maintaining those logs for 7 years. The response to >> 2-7.3 >> > suggests that there are likely more endemic issues around the issuance. >> > >> > Given the past issues, the recently identified issues (that appear to >> have >> > been longstanding), and the new issues that Visa's PKI Policy team is >> > actively engaging in, I believe it would be appropriate and necessary to >> > consider removing trust in this CA. >> > >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > > -- > konklone.com | @konklone <https://twitter.com/konklone> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy