> On Feb 13, 2018, at 19:16, Wayne Thayer via dev-security-policy 
> <dev-security-policy@lists.mozilla.org> wrote:
> On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg <jonat...@titanous.com>
> wrote:
>>> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>> In the light of this, I believe it is reasonable to discuss the question
>>> of whether Visa's PKI (and, specifically, the VISA eCommerce Root,
>>> https://crt.sh/?id=896972 , which is the one includes in our store)
>>> meets the criteria for inclusion in Mozilla's Root Store Policy, and
>>> whether it is appropriate for them to continue to hold public trust.
>>> Your comments are welcome.
>> I don’t think this issue ever got a conclusion. It is clear to me that
>> Visa should be removed from the Mozilla root program immediately.
> We did reach a conclusion on the original question that Gerv raised in
> this thread: does Visa meet the following requirement from section 2.1 of
> the Mozilla root store policy:
> CAs whose certificates are included in Mozilla's root program MUST provide
> some service relevant to typical users of our software products.

This is an answer to the first question, the second part is “whether it is 
appropriate for them to continue to hold public trust.”

> In the thread on this list titled "Updating Root Inclusion Criteria" it was
> decided that we will not attempt to restrict organizations from
> participating in the Mozilla CA program based on a judgement of their value
> to our users.

Right, but a judgement based on risk to users seems prudent.

> The most recent BR audit report for the Visa eCommerce Root contains 3
> qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf

And one of these qualifications is for a critical component of the job:

> We were unable to obtain evidence of the domain validation documentation for 
> a certificate issued.

dev-security-policy mailing list

Reply via email to