https://crt.sh/mozilla-certvalidations?group=version&id=896972 is a very informative graph for me -- this is the number of validations performed by Firefox for certs under this CA. It looks like at the absolute peak, there were 1000 validations in a day. That's very little value for our users, in return for an awful lot of risk.
Alex On Tue, Sep 19, 2017 at 11:12 AM, Gervase Markham via dev-security-policy < [email protected]> wrote: > In https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 , as part of > their comments on a report of BR-non-compliant certificate issuance, a > representative of VISA said the following: > > "I would like to share with you some details regarding our PKI System > and our position within the CA/Browser Forum. Visa is one of the oldest > operating Certificate Authorities and is currently a non-voting member > within the CA/Browser Forum. Visa has been operating a closed PKI > system prior to the inception of the Baseline Requirements, which we had > a number of legacy processes for the issuance and fulfillment of our > certificates to our clients. Certificates that are issued by Visa > public CA’s are issued only to our clients for interconnectivity > purposes. Unlike other CA’s and particularly those that have undergone > your Blink Process, our core business is not PKI. The certificates that > were impacted with the noted issues were not issued erroneously to a bad > actor(s) nor do we issue certificates to the open public. Due to our > unique PKI system, we are not at liberty to divulge with the public our > list of impacted clients and their certificates without our Legals' > consent. > > Regarding BR compliance, we completed our initial BR audit in September > of 2016. Since that time, we have been addressing the observations > noted by our external auditors. This also would encompass any > certificate issues that have been publically reported. Understanding > that such changes in adopting a new process will have business impact, > it is difficult to provide an accurate timeline of complete compliance > as we are required to assess the impact to our client and payment > systems to avoid any operational impact. We are committed to aligning > with BR and Mozilla requirements as we have continuously move forward in > making the necessary changes." > > From the above, we see that Visa only issues certificates to their own > customers/clients, and not to the public. They believe that this permits > them to keep confidential details of the certificates which they wish to > have public trust. > > The Mozilla Root Store Policy, section 2.1, states: > > "2.1 CA Operations. CAs whose certificates are included in Mozilla's > root program MUST: > 1) provide some service relevant to typical users of our software > products; ..." > > My memory suggests to me that this clause is normally understood to > preclude the inclusion of companies who wish to only issue certificates > to themselves and their customers. > > We also see that they are unable to provide a timeline for full BR > compliance. This is despite various assurances of current compliance to > Mozilla policies (and thereby the BRs) in various CA communications, > such as April 2017 and March 2016. > > In the light of this, I believe it is reasonable to discuss the question > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > https://crt.sh/?id=896972 , which is the one includes in our store) > meets the criteria for inclusion in Mozilla's Root Store Policy, and > whether it is appropriate for them to continue to hold public trust. > Your comments are welcome. > > Gerv > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
