https://crt.sh/mozilla-certvalidations?group=version&id=896972 is a very
informative graph for me -- this is the number of validations performed by
Firefox for certs under this CA. It looks like at the absolute peak, there
were 1000 validations in a day. That's very little value for our users, in
return for an awful lot of risk.

Alex

On Tue, Sep 19, 2017 at 11:12 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> In https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 , as part of
> their comments on a report of BR-non-compliant certificate issuance, a
> representative of VISA said the following:
>
> "I would like to share with you some details regarding our PKI System
> and our position within the CA/Browser Forum.  Visa is one of the oldest
> operating Certificate Authorities and is currently a non-voting member
> within the CA/Browser Forum.  Visa has been operating a closed PKI
> system prior to the inception of the Baseline Requirements, which we had
> a number of legacy processes for the issuance and fulfillment of our
> certificates to our clients.  Certificates that are issued by Visa
> public CA’s are issued only to our clients for interconnectivity
> purposes.  Unlike other CA’s and particularly those that have undergone
> your Blink Process, our core business is not PKI.  The certificates that
> were impacted with the noted issues were not issued erroneously to a bad
> actor(s) nor do we issue certificates to the open public. Due to our
> unique PKI system, we are not at liberty to divulge with the public our
> list of impacted clients and their certificates without our Legals'
> consent.
>
> Regarding BR compliance, we completed our initial BR audit in September
> of 2016.  Since that time, we have been addressing the observations
> noted by our external auditors.  This also would encompass any
> certificate issues that have been publically reported.  Understanding
> that such changes in adopting a new process will have business impact,
> it is difficult to provide an accurate timeline of complete compliance
> as we are required to assess the impact to our client and payment
> systems to avoid any operational impact.  We are committed to aligning
> with BR and Mozilla requirements as we have continuously move forward in
> making the necessary changes."
>
> From the above, we see that Visa only issues certificates to their own
> customers/clients, and not to the public. They believe that this permits
> them to keep confidential details of the certificates which they wish to
> have public trust.
>
> The Mozilla Root Store Policy, section 2.1, states:
>
> "2.1 CA Operations. CAs whose certificates are included in Mozilla's
> root program MUST:
> 1) provide some service relevant to typical users of our software
> products; ..."
>
> My memory suggests to me that this clause is normally understood to
> preclude the inclusion of companies who wish to only issue certificates
> to themselves and their customers.
>
> We also see that they are unable to provide a timeline for full BR
> compliance. This is despite various assurances of current compliance to
> Mozilla policies (and thereby the BRs) in various CA communications,
> such as April 2017 and March 2016.
>
> In the light of this, I believe it is reasonable to discuss the question
> of whether Visa's PKI (and, specifically, the VISA eCommerce Root,
> https://crt.sh/?id=896972 , which is the one includes in our store)
> meets the criteria for inclusion in Mozilla's Root Store Policy, and
> whether it is appropriate for them to continue to hold public trust.
> Your comments are welcome.
>
> Gerv
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to