On Thu, Sep 13, 2018 at 3:26 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Visa recently delivered new qualified audit reports for their eCommerce > Root that is included in the Mozilla program. I opened a bug [1] and > requested an incident report from Visa. > > Visa was also the subject of a thread [2] earlier this year in which I > stated that I would look into some of the concerns that were raised. I've > done that and have compiled the following issues list: > > https://wiki.mozilla.org/CA:Visa_Issues > > While I have attempted to make this list as complete, accurate, and factual > as possible, it may be updated as more information is received from Visa > and the community. > > I would like to request that a representative from Visa engage in this > discussion and provide responses to these issues. > > - Wayne > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 > [2] > > https://groups.google.com/d/msg/mozilla.dev.security.policy/NNV3zvX43vE/ns8UUwp8BgAJ I've not seen Visa engage in this discussion. The silence is rather deafening, and arguably unacceptably so. With respect to the Qualified Audit, Visa's response as to the substance of the issue is particularly unsettling. https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c3 demonstrates that they've not actually remediated the qualification, that they've further failed to meet the BRs requirements on revocations by any reasonable perspective, and they don't even have a plan yet to remedy this issue. Examining the bug itself is fairly disturbing, and the responses likely reveal further BR violations. For example, the inability to obtain evidence of domain validation information reveals that there are further issues with 2-7.3 - namely, maintaining those logs for 7 years. The response to 2-7.3 suggests that there are likely more endemic issues around the issuance. Given the past issues, the recently identified issues (that appear to have been longstanding), and the new issues that Visa's PKI Policy team is actively engaging in, I believe it would be appropriate and necessary to consider removing trust in this CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
