> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy > <[email protected]> wrote: > > In the light of this, I believe it is reasonable to discuss the question > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > https://crt.sh/?id=896972 , which is the one includes in our store) > meets the criteria for inclusion in Mozilla's Root Store Policy, and > whether it is appropriate for them to continue to hold public trust. > Your comments are welcome.
I don’t think this issue ever got a conclusion. It is clear to me that Visa should be removed from the Mozilla root program immediately. Visa has been extremely unresponsive in general. The most recent case was their non-compliant OCSP responder: https://bugzilla.mozilla.org/show_bug.cgi?id=1398261 It took them five months to fix the problem, and there is still no incident report. In their response to January CA Communication Action 2 (about insecure domain validation methods), they did not provide a comment response, but selected the option indicating they were using these vulnerable methods and required a date for an update in the comment field: > We have active (not expired or revoked) certificates issued using these > methods. We will review our implementation for vulnerabilities and report our > findings on the mozilla.dev.security.policy list by the date specified in the > comments section below. There are currently only 90 unexpired certificates issued by this CA known to CT: https://crt.sh/?Identity=%25&iCAID=1414&exclude=expired (last time we looked, there were only 27 and two were revoked) Additionally, the telemetry shows an extremely small number of validations. It’s not clear to me from their responses whether they are even currently BR-compliant, and as of September 13, 2017 it seems like they weren’t: > Regarding BR compliance, we completed our initial BR audit in September of > 2016. Since that time, we have been addressing the observations noted by our > external auditors. This also would encompass any certificate issues that > have been publically reported. Understanding that such changes in adopting a > new process will have business impact, it is difficult to provide an accurate > timeline of complete compliance as we are required to assess the impact to > our client and payment systems to avoid any operational impact. We are > committed to aligning with BR and Mozilla requirements as we have > continuously move forward in making the necessary changes . Given all this, I don’t think there is a lot of risk to Mozilla’s users with no benefit if Visa continues to be included in the root program. Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
