On Tue, Sep 19, 2017 at 8:12 AM, Gervase Markham via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> In https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 , as part of
> their comments on a report of BR-non-compliant certificate issuance, a
> representative of VISA said the following:
> "Visa has been operating a closed PKI
> system prior to the inception of the Baseline Requirements, which we had
> a number of legacy processes for the issuance and fulfillment of our
> certificates to our clients.  Certificates that are issued by Visa
> public CA’s are issued only to our clients for interconnectivity
> purposes."
> From the above, we see that Visa only issues certificates to their own
> customers/clients, and not to the public. They believe that this permits
> them to keep confidential details of the certificates which they wish to
> have public trust.
> The Mozilla Root Store Policy, section 2.1, states:
> "2.1 CA Operations. CAs whose certificates are included in Mozilla's
> root program MUST:
> 1) provide some service relevant to typical users of our software
> products; ..."
> My memory suggests to me that this clause is normally understood to
> preclude the inclusion of companies who wish to only issue certificates
> to themselves and their customers.


I think your statement is a little broad.  Every CA only issues
certificates to themselves and their own customers (or as the BRs call
them "Subscribers").  What is key here is that Mozilla requires the
certificates have relevance to "typical users of [Firefox]" while
while Visa explicitly says they only use the certificates for
"interconnectivity" purposes.  I take it to mean connections between
their clients and Visa, not between clients and the broad Internet
user base.

> We also see that they are unable to provide a timeline for full BR
> compliance. This is despite various assurances of current compliance to
> Mozilla policies (and thereby the BRs) in various CA communications,
> such as April 2017 and March 2016.
> In the light of this, I believe it is reasonable to discuss the question
> of whether Visa's PKI (and, specifically, the VISA eCommerce Root,
> https://crt.sh/?id=896972 , which is the one includes in our store)
> meets the criteria for inclusion in Mozilla's Root Store Policy, and
> whether it is appropriate for them to continue to hold public trust.
> Your comments are welcome.

That crt.sh link shows that it only has one unexpired subordinate CA,
the "Visa eCommerce Issuing CA".  CT logs only show 27 unexpired
certificates issued by this subordinate CA:
https://crt.sh/?Identity=%25&iCAID=1414&exclude=expired, of which two
are revoked.

The included CAs list indicates it never followed the current Mozilla
inclusion process, but is one of four "legacy" CAs.  The other three
are operated by CAs that have followed the inclusion process for other
roots, so this means Visa is the only CA operator in the Mozilla
program who is a purely "legacy" CA.

I take legacy to mean that they were never assessed against the
Mozilla inclusion standards, so it does seem reasonable to review
whether they continue to meet the inclusion policy.

dev-security-policy mailing list

Reply via email to