> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> 
> In the light of this, I believe it is reasonable to discuss the question
> of whether Visa's PKI (and, specifically, the VISA eCommerce Root,
> https://crt.sh/?id=896972 , which is the one includes in our store)
> meets the criteria for inclusion in Mozilla's Root Store Policy, and
> whether it is appropriate for them to continue to hold public trust.
> Your comments are welcome.

I don’t think this issue ever got a conclusion. It is clear to me that Visa 
should be removed from the Mozilla root program immediately.

Visa has been extremely unresponsive in general. The most recent case was their 
non-compliant OCSP responder: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1398261

It took them five months to fix the problem, and there is still no incident 
report.

In their response to January CA Communication Action 2 (about insecure domain 
validation methods), they did not provide a comment response, but selected the 
option indicating they were using these vulnerable methods and required a date 
for an update in the comment field:

> We have active (not expired or revoked) certificates issued using these 
> methods. We will review our implementation for vulnerabilities and report our 
> findings on the mozilla.dev.security.policy list by the date specified in the 
> comments section below.

There are currently only 90 unexpired certificates issued by this CA known to 
CT: https://crt.sh/?Identity=%25&iCAID=1414&exclude=expired (last time we 
looked, there were only 27 and two were revoked)

Additionally, the telemetry shows an extremely small number of validations.

It’s not clear to me from their responses whether they are even currently 
BR-compliant, and as of September 13, 2017 it seems like they weren’t:

> Regarding BR compliance, we completed our initial BR audit in September of 
> 2016.  Since that time, we have been addressing the observations noted by our 
> external auditors.  This also would encompass any certificate issues that 
> have been publically reported.  Understanding that such changes in adopting a 
> new process will have business impact, it is difficult to provide an accurate 
> timeline of complete compliance as we are required to assess the impact to 
> our client and payment systems to avoid any operational impact.  We are 
> committed to aligning with BR and Mozilla requirements as we have 
> continuously move forward in making the necessary changes .

Given all this, I don’t think there is a lot of risk to Mozilla’s users with no 
benefit if Visa continues to be included in the root program.

Jonathan
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to