Re: Public trust of VISA's CA

2018-02-14 Thread Wayne Thayer via dev-security-policy
On Wed, Feb 14, 2018 at 10:47 AM, Tim Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > > In this particular case, my conclusion is that the existing Mozilla > > process is working. We have

Re: Public trust of VISA's CA

2018-02-14 Thread Tim Smith via dev-security-policy
On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > In this particular case, my conclusion is that the existing Mozilla > process is working. We have documented a number of issues that when > considered in aggregate warrant an investigation. Hi Wayne, Forgive me if I'm

Re: Public trust of VISA's CA

2018-02-14 Thread westmail24--- via dev-security-policy
It seems to me that some CA's hold unanswered Mozilla's questions because they know that it will not cause any serious consequences. I mean removing a root certificates from Mozilla Root Store. However, this point of view here seems to have already been voiced.

Re: Public trust of VISA's CA

2018-02-14 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 13, 2018 at 11:26 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > > The most recent BR audit report for the Visa

Re: Public trust of VISA's CA

2018-02-13 Thread Paul Kehrer via dev-security-policy
On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: > The most recent BR audit report for the Visa eCommerce Root contains 3 qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf Does Mozilla have any guidelines or official

Re: Public trust of VISA's CA

2018-02-13 Thread Jonathan Rudenberg via dev-security-policy
> On Feb 13, 2018, at 19:16, Wayne Thayer via dev-security-policy > wrote: > > On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg > wrote: > >> >>> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy < >>

Re: Public trust of VISA's CA

2018-02-13 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg wrote: > > > On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In the light of this, I believe it is reasonable to discuss the question > > of

Re: Public trust of VISA's CA

2018-02-13 Thread Jonathan Rudenberg via dev-security-policy
> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy > wrote: > > In the light of this, I believe it is reasonable to discuss the question > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > https://crt.sh/?id=896972 ,

Re: Public trust of VISA's CA

2017-09-21 Thread Paul Kehrer via dev-security-policy
I can confirm that as of this moment the VISA OCSP responders are still responding GOOD for non-existent certificates. VISA was originally contacted by me on August 29 so it has now been over 21 days since initial report. -Paul On September 21, 2017 at 9:32:12 PM, Gervase Markham via

Re: Public trust of VISA's CA

2017-09-21 Thread Gervase Markham via dev-security-policy
Additionally, 13 days ago it was reported to VISA that their OCSP responder was misconfigured to return "good" responses for non-existent certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=1398261 As far as I can see, this is the case for their end-entity certificates, not just some roots

Re: Public trust of VISA's CA

2017-09-20 Thread Jakob Bohm via dev-security-policy
On 20/09/2017 09:37, Martin Rublik wrote: On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: https://crt.sh/mozilla-certvalidations?group=version=896972 is a very informative graph for me -- this is the number of validations

Re: Public trust of VISA's CA

2017-09-20 Thread Peter Bowen via dev-security-policy
On Wed, Sep 20, 2017 at 12:37 AM, Martin Rublik via dev-security-policy wrote: > On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >>

Re: Public trust of VISA's CA

2017-09-20 Thread Martin Rublik via dev-security-policy
On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > https://crt.sh/mozilla-certvalidations?group=version=896972 is a very > informative graph for me -- this is the number of validations performed by > Firefox for certs under this

Re: Public trust of VISA's CA

2017-09-19 Thread Matthew Hardeman via dev-security-policy
On Tuesday, September 19, 2017 at 10:13:26 AM UTC-5, Gervase Markham wrote: > >From the above, we see that Visa only issues certificates to their own > customers/clients, and not to the public. They believe that this permits > them to keep confidential details of the certificates which they wish

Re: Public trust of VISA's CA

2017-09-19 Thread Gervase Markham via dev-security-policy
On 19/09/17 16:27, Peter Bowen wrote: > I think your statement is a little broad. Every CA only issues > certificates to themselves and their own customers (or as the BRs call > them "Subscribers"). Yes, you are right. "Customers" was the wrong word. Perhaps I rather meant they only issue to