Confirmed users, Administrators
5,526
edits
CA/Visa Issues: Difference between revisions
m
Kathleen Wilson moved page CA:Visa Issues to CA/Visa Issues: Moved from CA: to CA/
(Initial page copy) |
m (Kathleen Wilson moved page CA:Visa Issues to CA/Visa Issues: Moved from CA: to CA/) |
||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 2: | Line 2: | ||
Visa has a [https://crt.sh/?id=896972 single certificate] in the Mozilla Root Program. The CN of the root is "Visa eCommerce Root", and it expires on June 24, 2022. This root was issued in 2002 and grandfathered in to our root store when the Mozilla Root Program was created. | Visa has a [https://crt.sh/?id=896972 single certificate] in the Mozilla Root Program. The CN of the root is "Visa eCommerce Root", and it expires on June 24, 2022. This root was issued in 2002 and grandfathered in to our root store when the Mozilla Root Program was created. | ||
==Issue A: Missing Baseline Requirements Audits (2014 - March 2016)== | ==Issue A: Missing Baseline Requirements Audits (2014 - March 2016)== | ||
Visa received an initial point-in-time Baseline Requirements audit | Visa received an initial point-in-time Baseline Requirements audit on March 31, 2016 [https://bugzilla.mozilla.org/attachment.cgi?id=8795503 [1]]. This was more than two years past Mozilla’s deadline for BR compliance: “CAs with a root certificate that has the websites (SSL/TLS) trust bit enabled in Mozilla's CA Certificate Program shall have their SSL certificate issuance and operations audited according to the Baseline Requirements between February 15, 2013, and February 15, 2014.” [https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy [2]] | ||
==Issue B. Qualified Audits (2016 - Present)== | ==Issue B. Qualified Audits (2016 - Present)== | ||
Visa has yet to receive a clean (unqualified) BR audit. Their first | Visa has yet to receive a clean (unqualified) BR audit. Their first point-in-time audit conducted by KPMG lists 7 qualifications [https://bugzilla.mozilla.org/attachment.cgi?id=8795503 [1]]. Their 2017 BR audit [https://bug1301210.bmoattachments.org/attachment.cgi?id=9004729 [3]] conducted by BDO lists 3 qualifications, and their standard 2017 WebTrust audit [https://bug1301210.bmoattachments.org/attachment.cgi?id=9004730 [4]] lists one qualification. We recently received Visa’s 2018 audits containing a total of 5 qualifications [https://bugzilla.mozilla.org/show_bug.cgi?id=1485777 [5]]. | ||
Visa eCommerce Root Audit History | Visa eCommerce Root Audit History | ||
WebTrust for CAs | '''WebTrust for CAs''' | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
| Line 41: | Line 39: | ||
WebTrust Baseline Requirements | '''WebTrust Baseline Requirements''' | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
| Line 63: | Line 61: | ||
“The CA maintains controls and procedures to provide reasonable assurance that as of the date the Certificate was issued, the CA obtains confirmation in accordance with the SSL Baseline Requirements Section 11.1 related to the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate.” | “The CA maintains controls and procedures to provide reasonable assurance that as of the date the Certificate was issued, the CA obtains confirmation in accordance with the SSL Baseline Requirements Section 11.1 related to the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate.” | ||
The | The point-in-time audit states that “Verification of the Fully-Qualified Domain Name(s) and IP address(es) listed in the certificates is not formally performed and documented per Baseline Requirements.” Visa responded that the issue had been remediated, but the 2017 audit states that “We were unable to obtain evidence of the domain validation documentation for a certificate issued.” (one specific certificate was identified as lacking documentation). Visa responded with the following statement: | ||
“Visa notes a plan to standardize and establish consistency across all Domain Validations to include our internal certificate requests, is in progress. This plan will be implemented in Q1 FY18 and include training to relevant personnel about the new standardized process.” | “Visa notes a plan to standardize and establish consistency across all Domain Validations to include our internal certificate requests, is in progress. This plan will be implemented in Q1 FY18 and include training to relevant personnel about the new standardized process.” | ||
| Line 72: | Line 70: | ||
==Issue E: Inadequate Organization Validation Procedures (2016)== | ==Issue E: Inadequate Organization Validation Procedures (2016)== | ||
Visa’s original BR | Visa’s original BR point-in-time audit describes the following deficiency: | ||
Visa has a detailed corporate onboarding process for new clients who may ultimately require publicly trusted SSL certificates to do business with VISA. However, it was noted that the VISA CA’s vetting procedures do not specifically address the referenced WTBR criteria at the time of certificate issuance for verification of the O, OU, L, C attributes. It was also noted that the | "Visa has a detailed corporate onboarding process for new clients who may ultimately require publicly trusted SSL certificates to do business with VISA. However, it was noted that the VISA CA’s vetting procedures do not specifically address the referenced WTBR criteria at the time of certificate issuance for verification of the O, OU, L, C attributes. It was also noted that the VISA CA uses an internal system (VISA Profiler) to verify client organization and individual information, but there is no process in place to validate that information by using a third-party database considered a Reliable Data Source or attestation letters." | ||
VISA CA uses an internal system (VISA Profiler) to verify client organization and individual information, but there is no process in place to validate that information by using a third-party database considered a Reliable Data Source or attestation letters. | |||
This issue is not present on Visa’s more recent BR audits. | This issue is not present on Visa’s more recent BR audits. | ||
| Line 83: | Line 80: | ||
==Issue G: Internal Names in Certificates (2016)== | ==Issue G: Internal Names in Certificates (2016)== | ||
In bug 1391087 [https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 [13]], Visa was found to have issued two certificates [https://misissued.com/batch/8/ [14]] containing internal names that were not revoked by the BR deadline of October 1, 2016. In the bug, Visa stated that they completed their initial BR audit in September 2016 when the BR | In bug 1391087 [https://bugzilla.mozilla.org/show_bug.cgi?id=1391087 [13]], Visa was found to have issued two certificates [https://misissued.com/batch/8/ [14]] containing internal names that were not revoked by the BR deadline of October 1, 2016. In the bug, Visa stated that they completed their initial BR audit in September 2016 when the BR point-in-time audit report was issued, but one of these certificates was issued after the BR point-in-time audit date of March 31, 2016. In this bug, Visa declined repeated requests to provide a list of additional misissued certificates that were identified during their internal investigation. | ||
==Issue H: Failure to Respond to Problem Reports Within 24 Hours (2017)== | ==Issue H: Failure to Respond to Problem Reports Within 24 Hours (2017)== | ||
| Line 98: | Line 95: | ||
One particular case that has occurred as recently as July 2017 was reported to Visa in bug 636557. [https://bugzilla.mozilla.org/show_bug.cgi?id=636557#c51 [19]] The error is the inclusion of the Key Agreement key usage in RSA certificates. In the bug Visa initially argued that this is allowed, but later fixed the problem in the test site that was being referenced, then continued to issue certs containing this error for another 10 months. | One particular case that has occurred as recently as July 2017 was reported to Visa in bug 636557. [https://bugzilla.mozilla.org/show_bug.cgi?id=636557#c51 [19]] The error is the inclusion of the Key Agreement key usage in RSA certificates. In the bug Visa initially argued that this is allowed, but later fixed the problem in the test site that was being referenced, then continued to issue certs containing this error for another 10 months. | ||
==Issue L: 2018 Audit Late | ==Issue L: 2018 Audit Report Delivered Late / Documents Ongoing Problems== | ||
Visa’s 2018 audit statements for the period ending March 31, 2018 [https://bugzilla.mozilla.org/show_bug.cgi?id=1485777 [5]] were received on August 23 - well over a month past the deadline of 1-year plus 90 days from the end of the prior audit period. | Visa’s 2018 audit statements for the period ending March 31, 2018 [https://bugzilla.mozilla.org/show_bug.cgi?id=1485777 [5]] were received on August 23 - well over a month past the deadline of 1-year plus 90 days from the end of the prior audit period. | ||
The WTCA qualification on criterion 6.6 indicates one of the issues from the prior year was still not fixed. Likewise, the WTBR audit indicates a failure to meet criterion 2-4.1 as was the case in the previous two audits. An incident bug was opened requesting that Visa describe how they plan to remediate the issues identified in this year’s reports [https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 [20]]. As of | The WTCA qualification on criterion 6.6 indicates one of the issues from the prior year was still not fixed. Likewise, the WTBR audit indicates a failure to meet criterion 2-4.1 as was the case in the previous two audits. An incident bug was opened requesting that Visa describe how they plan to remediate the issues identified in this year’s reports [https://bugzilla.mozilla.org/show_bug.cgi?id=1485851 [20]]. As of September 4, Visa has only replied that “We are preparing a detailed response and we will respond shortly”. | ||
==References== | ==References== | ||