On Tuesday, September 19, 2017 at 10:13:26 AM UTC-5, Gervase Markham wrote:

> >From the above, we see that Visa only issues certificates to their own
> customers/clients, and not to the public. They believe that this permits
> them to keep confidential details of the certificates which they wish to
> have public trust.

The overall question of whether they should be issuing special use certificates 
from a publicly trusted CA is worthwhile, but I wonder whether the point about 
disclosure / confidential details of certificate issuance isn't practically 
mooted by the anticipated requirement that from April of next year, leaf 
certificates from included public CAs will require SCT proofs in order to be 
trusted by the (currently) largest market share browser?  (And presumably the 
other browsers will likely follow suit similarly?)

The other matters in discussion regarding this root hierarchy almost certainly 
do merit some attention.

It sounds like VISA is generally using this between software and hardware 
elements of an intranet / extranet nature between the VISA organization and 
partner banking institutions and their service providers.  What interest of 
theirs is served by being included in public trust stores?
dev-security-policy mailing list

Reply via email to