On Thu, Sep 27, 2018 at 5:22 PM Wayne Thayer via dev-security-policy < [email protected]> wrote:
> Visa has filed a bug [1] requesting removal of the eCommerce root from the > Mozilla root store. Visa has also responded to the information requested in > the qualified audits bug [2], but it's unclear if or when they will respond > to the issues list presented in this thread. Two weeks have passed since I > posted the issues list, and I see no reason to delay the complete distrust > of Visa's eCommerce root. That is likely to happen in Firefox 64 [3] via > removal of the root from NSS version 3.40 . Visa is still welcome to > respond to the issues list, but I think the removal of Visa's only included > root, and thus Visa, from the Mozilla CA Certificate Program implies that > this discussion has reached a conclusion. > Visa also stated in their removal bug: "Visa’s plan is to remove the SHA1 root and introduce a new SHA2 and ECC root." Were Visa to apply to the Mozilla program with one or more new roots, would those be new discussions, or would that cause this discussion about Visa's history of issues to be re-opened? -- Eric > > - Wayne > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1493822 > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c2 > [3] https://wiki.mozilla.org/Release_Management/Calendar > > On Sun, Sep 23, 2018 at 1:15 PM Ryan Sleevi <[email protected]> wrote: > > > > > > > On Thu, Sep 13, 2018 at 3:26 PM Wayne Thayer via dev-security-policy < > > [email protected]> wrote: > > > >> Visa recently delivered new qualified audit reports for their eCommerce > >> Root that is included in the Mozilla program. I opened a bug [1] and > >> requested an incident report from Visa. > >> > >> Visa was also the subject of a thread [2] earlier this year in which I > >> stated that I would look into some of the concerns that were raised. > I've > >> done that and have compiled the following issues list: > >> > >> https://wiki.mozilla.org/CA:Visa_Issues > >> > >> While I have attempted to make this list as complete, accurate, and > >> factual > >> as possible, it may be updated as more information is received from Visa > >> and the community. > >> > >> I would like to request that a representative from Visa engage in this > >> discussion and provide responses to these issues. > >> > >> - Wayne > >> > >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 > >> [2] > >> > >> > https://groups.google.com/d/msg/mozilla.dev.security.policy/NNV3zvX43vE/ns8UUwp8BgAJ > > > > > > I've not seen Visa engage in this discussion. The silence is rather > > deafening, and arguably unacceptably so. > > > > With respect to the Qualified Audit, Visa's response as to the substance > > of the issue is particularly unsettling. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1485851#c3 demonstrates > that > > they've not actually remediated the qualification, that they've further > > failed to meet the BRs requirements on revocations by any reasonable > > perspective, and they don't even have a plan yet to remedy this issue. > > > > Examining the bug itself is fairly disturbing, and the responses likely > > reveal further BR violations. For example, the inability to obtain > evidence > > of domain validation information reveals that there are further issues > with > > 2-7.3 - namely, maintaining those logs for 7 years. The response to 2-7.3 > > suggests that there are likely more endemic issues around the issuance. > > > > Given the past issues, the recently identified issues (that appear to > have > > been longstanding), and the new issues that Visa's PKI Policy team is > > actively engaging in, I believe it would be appropriate and necessary to > > consider removing trust in this CA. > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
