CA/Visa Issues

From MozillaWiki
< CA(Redirected from CA:Visa Issues)
Jump to: navigation, search

This page lists alleged issues involving the Visa CA. It may be further updated by Mozilla as more information becomes available. Please do not edit this page yourself; if you have proposed changes, email Wayne. Information here is correct to the best of Mozilla's knowledge and belief.

Visa has a single certificate in the Mozilla Root Program. The CN of the root is "Visa eCommerce Root", and it expires on June 24, 2022. This root was issued in 2002 and grandfathered in to our root store when the Mozilla Root Program was created.

Issue A: Missing Baseline Requirements Audits (2014 - March 2016)

Visa received an initial point-in-time Baseline Requirements audit on March 31, 2016 [1]. This was more than two years past Mozilla’s deadline for BR compliance: “CAs with a root certificate that has the websites (SSL/TLS) trust bit enabled in Mozilla's CA Certificate Program shall have their SSL certificate issuance and operations audited according to the Baseline Requirements between February 15, 2013, and February 15, 2014.” [2]

Issue B. Qualified Audits (2016 - Present)

Visa has yet to receive a clean (unqualified) BR audit. Their first point-in-time audit conducted by KPMG lists 7 qualifications [1]. Their 2017 BR audit [3] conducted by BDO lists 3 qualifications, and their standard 2017 WebTrust audit [4] lists one qualification. We recently received Visa’s 2018 audits containing a total of 5 qualifications [5].

Visa eCommerce Root Audit History

WebTrust for CAs

Period Auditor Results
June 1, 2008 - May 31, 2009 KPMG Clean
June 1, 2009 - May 30,2010 KPMG Clean
June 1, 2010 - June 1, 2011 Unknown*
June 1, 2011 - December 31, 2011 Unknown*
January 1, 2012 - December 31, 2012 KPMG Clean
April 1, 2013 - March 31, 2014 KPMG Clean
April 1, 2014 - March 31, 2015 KPMG Clean
April 1, 2015 - March 31, 2016 KPMG Clean
April 1, 2016 - March 31, 2017 BDO Qualified on criterion 6.6 Certificate Revocation
April 1, 2017 - March 31, 2018 BDO Qualified on criterion 6.6 Certificate Revocation

* Mozilla has not previously maintained a history of audit reports.


WebTrust Baseline Requirements

Period Auditor Results
March 31, 2016 KPMG 7 qualifications
April 1, 2016 - March 31, 2017 BDO 3 qualifications
April 1, 2017 - March 31, 2018 BDO 4 qualifications

The newer Visa Information Delivery root was the subject of an inclusion request [6] that Visa recently decided to cancel. We recently received the 2017 BDO audit statements for this root. The WebTrust audit statement [7] includes 4 qualifications and the Baseline Requirements audit statement [8] also includes 4 qualifications. I had requested, but never received, audit statements for prior periods for this root.

Issue C: SHA-1 Issuance (2016)

Visa’s March 31, 2016 audit noted 4 certificates that were signed using SHA-1 after the January 1, 2016 BR deadline. In addition, two SHA-1 certificates issued after the deadline were reported to Mozilla and Visa [9]. In this bug it was noted that Visa did not fully disclose their SHA-1 issuance, they were working under their own “exception policy”, and more than a month elapsed before these certificates were revoked.

Issue D: Inadequate Domain Validation Procedures (2016 - Present)

All three of Visa’s eCommerce Root BR audits are qualified on WebTrust criterion 2 - 4.1 that states:

“The CA maintains controls and procedures to provide reasonable assurance that as of the date the Certificate was issued, the CA obtains confirmation in accordance with the SSL Baseline Requirements Section 11.1 related to the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate.”

The point-in-time audit states that “Verification of the Fully-Qualified Domain Name(s) and IP address(es) listed in the certificates is not formally performed and documented per Baseline Requirements.” Visa responded that the issue had been remediated, but the 2017 audit states that “We were unable to obtain evidence of the domain validation documentation for a certificate issued.” (one specific certificate was identified as lacking documentation). Visa responded with the following statement:

“Visa notes a plan to standardize and establish consistency across all Domain Validations to include our internal certificate requests, is in progress. This plan will be implemented in Q1 FY18 and include training to relevant personnel about the new standardized process.” 

This year’s qualification [10] states that “For 5 of the 45 certificate issuance requests selected, we were unable to obtain domain validation evidence in accordance with the Baseline Requirements”. The 2018 management assertion says:

“Visa notes the respective system of record, used to track and store certificate requests and validation data, had been retired during the year. Access to the historical data was not maintained resulting in this observation. However, obtaining domain validation requirements are part of our continuous training; for which, Visa asserts domain validation was completed before issuing the certificate.”

Issue E: Inadequate Organization Validation Procedures (2016)

Visa’s original BR point-in-time audit describes the following deficiency:

"Visa has a detailed corporate onboarding process for new clients who may ultimately require publicly trusted SSL certificates to do business with VISA. However, it was noted that the VISA CA’s vetting procedures do not specifically address the referenced WTBR criteria at the time of certificate issuance for verification of the O, OU, L, C attributes. It was also noted that the VISA CA uses an internal system (VISA Profiler) to verify client organization and individual information, but there is no process in place to validate that information by using a third-party database considered a Reliable Data Source or attestation letters."

This issue is not present on Visa’s more recent BR audits.

Issue F: No CAA Support (September 2017 - Present)

All CAs were required by the BRs to implement CAA record checking by September 8, 2017. Prior to January 31, 2018, Visa’s CP/CPS stated that “Visa Certificate Authorities do not review CAA records at the current time.” That issue is partially fixed in the latest version of their CP/CPS [11][12], but the information is not in section 4.2 and it still doesn’t document the CAA domains recognized by Visa as required by BR section 2.2. Also, Visa still has not supplied their recognized CAA domains to Mozilla despite stating that the information was correct and that they would comply with CAA implementation dates in their response to Action 6 of the November 2017 CA Communication survey.

Issue G: Internal Names in Certificates (2016)

In bug 1391087 [13], Visa was found to have issued two certificates [14] containing internal names that were not revoked by the BR deadline of October 1, 2016. In the bug, Visa stated that they completed their initial BR audit in September 2016 when the BR point-in-time audit report was issued, but one of these certificates was issued after the BR point-in-time audit date of March 31, 2016. In this bug, Visa declined repeated requests to provide a list of additional misissued certificates that were identified during their internal investigation.

Issue H: Failure to Respond to Problem Reports Within 24 Hours (2017)

Visa’s 2017 BR audit report [3] includes a qualification described by their auditor as “We were unable to obtain evidence to verify the revocation was completed within the 24 hour requirement for a selection of revoked certificates.“ This issue was later confirmed in bug 1391087 [13] when a problem report was sent to Visa’s documented problem reporting email address, but no response was ever received. The certificates were also not revoked within 24 hours.

Issue I: Misconfigured OCSP Responder (August 2013 - February 2018)

In bug 1398261 [15], it was reported that Visa’s OCSP responder was configured in violation of the BRs to respond with a “good” status for unissued certificates [16]. The problem was reported to Visa in September, and fixed in February 2018. Visa’s response has made it clear that their OCSP responders have been non-compliant since this requirement went into effect on August 1, 2013.

Issue J: Issuing Certificates with 1024-bit Keys (2015)

In bug 1034834 [17], evidence was provided that Visa issued at least one 1024-bit SSL certificate in 2015 with a 2017 expiration date. The BRs forbid 1024-bit SSL certificates with expiration dates later than December 31, 2013.

Issue K: Technical Misissuance (2013 - 2017)

https://crt.sh [18] lists dozens of unrevoked certificates issued by Visa as recently as July 2017 containing technical violations such as missing EKUs and improperly coded countryName fields. This represents a large percentage of all certificates issued under the eCommerce root during this period. This type of issue has affected many CAs over the past year. For most of the errors, it appears that the problem wasn’t reported by third parties or detected by Visa. It is unclear if Visa, like many other CAs, has implemented linting to prevent this class of problems from occurring in the future. One particular case that has occurred as recently as July 2017 was reported to Visa in bug 636557. [19] The error is the inclusion of the Key Agreement key usage in RSA certificates. In the bug Visa initially argued that this is allowed, but later fixed the problem in the test site that was being referenced, then continued to issue certs containing this error for another 10 months.

Issue L: 2018 Audit Report Delivered Late / Documents Ongoing Problems

Visa’s 2018 audit statements for the period ending March 31, 2018 [5] were received on August 23 - well over a month past the deadline of 1-year plus 90 days from the end of the prior audit period.

The WTCA qualification on criterion 6.6 indicates one of the issues from the prior year was still not fixed. Likewise, the WTBR audit indicates a failure to meet criterion 2-4.1 as was the case in the previous two audits. An incident bug was opened requesting that Visa describe how they plan to remediate the issues identified in this year’s reports [20]. As of September 4, Visa has only replied that “We are preparing a detailed response and we will respond shortly”.

References

[1] https://bugzilla.mozilla.org/attachment.cgi?id=8795503

[2] https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

[3] https://bug1301210.bmoattachments.org/attachment.cgi?id=9004729

[4] https://bug1301210.bmoattachments.org/attachment.cgi?id=9004730

[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1485777

[6] https://bugzilla.mozilla.org/show_bug.cgi?id=636557#c78

[7] https://enroll.visaca.com/WTCA%20InfoDel.pdf

[8] https://enroll.visaca.com/WTBR%20InfoDel.pdf

[9] https://bugzilla.mozilla.org/show_bug.cgi?id=1315016

[10] https://bugzilla.mozilla.org/attachment.cgi?id=9003608

[11] https://www.visa.com/pki/pdf/VisaPublicKeyInfrastructureCertificatePolicy.pdf

[12] https://www.visa.com/pki/pdf/VisaPublicKeyInfrastructureCertificatePolicyStatement.pdf

[13] https://bugzilla.mozilla.org/show_bug.cgi?id=1391087

[14] https://misissued.com/batch/8/

[15] https://bugzilla.mozilla.org/show_bug.cgi?id=1398261

[16] https://crt.sh/ocsp-responders?trustedExclude=constrained%2Cexpired%2Conecrl&trustedBy=Mozilla&trustedFor=Server+Authentication&randomserial=Good

[17] https://bugzilla.mozilla.org/show_bug.cgi?id=1034834

[18] https://crt.sh/?caid=1414&opt=x509lint,cablint&minNotBefore=2013-01-01

[19] https://bugzilla.mozilla.org/show_bug.cgi?id=636557#c51

[20] https://bugzilla.mozilla.org/show_bug.cgi?id=1485851