In , as part of
their comments on a report of BR-non-compliant certificate issuance, a
representative of VISA said the following:

"I would like to share with you some details regarding our PKI System
and our position within the CA/Browser Forum.  Visa is one of the oldest
operating Certificate Authorities and is currently a non-voting member
within the CA/Browser Forum.  Visa has been operating a closed PKI
system prior to the inception of the Baseline Requirements, which we had
a number of legacy processes for the issuance and fulfillment of our
certificates to our clients.  Certificates that are issued by Visa
public CA’s are issued only to our clients for interconnectivity
purposes.  Unlike other CA’s and particularly those that have undergone
your Blink Process, our core business is not PKI.  The certificates that
were impacted with the noted issues were not issued erroneously to a bad
actor(s) nor do we issue certificates to the open public. Due to our
unique PKI system, we are not at liberty to divulge with the public our
list of impacted clients and their certificates without our Legals' consent.

Regarding BR compliance, we completed our initial BR audit in September
of 2016.  Since that time, we have been addressing the observations
noted by our external auditors.  This also would encompass any
certificate issues that have been publically reported.  Understanding
that such changes in adopting a new process will have business impact,
it is difficult to provide an accurate timeline of complete compliance
as we are required to assess the impact to our client and payment
systems to avoid any operational impact.  We are committed to aligning
with BR and Mozilla requirements as we have continuously move forward in
making the necessary changes."

From the above, we see that Visa only issues certificates to their own
customers/clients, and not to the public. They believe that this permits
them to keep confidential details of the certificates which they wish to
have public trust.

The Mozilla Root Store Policy, section 2.1, states:

"2.1 CA Operations. CAs whose certificates are included in Mozilla's
root program MUST:
1) provide some service relevant to typical users of our software
products; ..."

My memory suggests to me that this clause is normally understood to
preclude the inclusion of companies who wish to only issue certificates
to themselves and their customers.

We also see that they are unable to provide a timeline for full BR
compliance. This is despite various assurances of current compliance to
Mozilla policies (and thereby the BRs) in various CA communications,
such as April 2017 and March 2016.

In the light of this, I believe it is reasonable to discuss the question
of whether Visa's PKI (and, specifically, the VISA eCommerce Root, , which is the one includes in our store)
meets the criteria for inclusion in Mozilla's Root Store Policy, and
whether it is appropriate for them to continue to hold public trust.
Your comments are welcome.


dev-security-policy mailing list

Reply via email to