<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 14.02.5004.000">
<TITLE>FW: [cabfpub] CAB Forum Policy Change request</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT COLOR="#1F497D" FACE="Calibri">Re-posting to public list with permission…</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Tahoma">_____________________________________________<BR>
</FONT></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B><FONT SIZE=2 FACE="Tahoma">From:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Tahoma"> WILEMON, ANDREA A<BR>
</FONT></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B><FONT SIZE=2 FACE="Tahoma">Sent:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Tahoma"> Tuesday, September 15, 2015 3:45 PM<BR>
</FONT></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B><FONT SIZE=2 FACE="Tahoma">To:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Tahoma"> Sigbjørn Vik<BR>
</FONT></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B><FONT SIZE=2 FACE="Tahoma">Subject:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Tahoma"> RE: [cabfpub] CAB Forum Policy Change request</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">Sigbjørn,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Our responses are below following your comments.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Andrea</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><B><SPAN LANG="en-us"><FONT COLOR="#FFC000" SIZE=2 FACE="Calibri">Andrea A. Wilemon, CISSP</FONT></SPAN></B></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Calibri">Principle-Technology Security</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Calibri">Chief Security Office, Mobility, Cloud & Enterprise Security</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B></B></SPAN><SPAN LANG="en-us"><B></B></SPAN><B><SPAN LANG="en-us"><FONT COLOR="#FFC000" SIZE=2 FACE="Calibri">AT&T Services, Inc.</FONT></SPAN></B></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT FACE="Calibri">-----Original Message-----</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">From: Sigbjørn Vik </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Sent: Thursday, September 03, 2015 4:50 AM</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">To:</FONT></SPAN><SPAN LANG="en-us"> </SPAN><A HREF="mailto:public@cabforum.org"><SPAN LANG="en-us"><U><FONT COLOR="#0000FF" FACE="Calibri">public@cabforum.org</FONT></U></SPAN><SPAN LANG="en-us"></SPAN></A><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Cc: WILEMON, ANDREA A</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Subject: Re: [cabfpub] CAB Forum Policy Change request</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> This message is from the AT&T Services, Inc., Chief Security Office,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> Data Protection Team.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> 1) Symantec’s proposal involves changing thousands of SHA-1 certificates</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> that will translate to a high volume of unplanned operations and</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> workload churn.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Sigbjørn’s comment:</FONT></B></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">There is no need to replace certificates just because you got a new one.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">I fail to see why the following wouldn't work: Get new certificates now,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">and store them safely. Do not do anything with the existing</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">certificates. When you would otherwise replace a certificate with a new</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">one, instead of getting one issued, take a pre-issued one from your</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">secure storage and put that on your server.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Andrea's reply:</FONT></B></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">We considered this method. This would be a good option except for the volume of certificates that we have to manage. The secure-storage-until-needed-option presents many inventory management difficulties in our environment:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Symbol">·<FONT FACE="Courier New"> </FONT></FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">A key escrow repository and inventory management system does not exist, and there are not the resources or time left to build a temporary solution.</FONT></SPAN></P>
<UL DIR=LTR><UL DIR=LTR>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
</UL></UL>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Symbol">·<FONT FACE="Courier New"> </FONT></FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">Server certificates are different from software licenses in that they are issued from our Symantec CA once with unique information per key pair. We can't issue generic certificates and update them later with the Subject Distinguished Name (DN) values as PKI industry standards and the technology require. Each certificate owner has to enroll for new certificates with unique Subject DN, Serial Number and Thumbprint values.</FONT></SPAN></P>
<UL DIR=LTR><UL DIR=LTR>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
</UL></UL>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Symbol">·<FONT FACE="Courier New"> </FONT></FONT></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">As mentioned above, there is no centralized secure repository for the remaining SHA-1 certificates which are over 6,000 key pairs. The private keys would be stored in many different locations by many different groups which makes them difficult to track.</FONT></SPAN></P>
<UL DIR=LTR><UL DIR=LTR>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
</UL></UL>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Symbol">·<FONT FACE="Courier New"> </FONT></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT FACE="Calibri">Without a secure repository system, the pending key pairs would most likely be stored outside of properly secured containers which become a security issue. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> We request a policy change allowing Symantec to continue issuing</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> less-than-one-year SHA-1 certificates after 12/31/2015 under their</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> public trusted PKI hierarchy to support our remaining applications</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">> scheduled for SHA-256 adoption or retirement in 2016.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Sigbjørn’s comment:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">The CABForum is working for a more secure web. This includes making</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">sunset periods for insecure methods. Whatever we decide to sunset, there</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">will always be someone struggling to meet the deadline, and a lot of</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">businesses moving at the last possible date. If we allow extensions of</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">the deadline, there will be even more problems next time, as businesses</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">will expect it to be moveable should they run into problems. When to</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">migrate is a business decision, by extending the deadline now, we reward</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">those making insecure decisions and punish those pushing the security of</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">the web forwards. Based on this, Opera is opposed to extending the deadline.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Andrea's reply: </FONT></B></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">As mentioned before, we support the CAB Forum's work to increase Internet security, as in this case to strengthen TLS encryption. We are not asking to extend the SHA-1 deprecation deadline. We are asking for access to partial validity SHA-1 certificates in 2016. Just to be clear, we are not asking to extend the deadline for terminating use of SHA-1 certificates. This will allow our remaining applications to complete their certificate upgrades in 2016. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Symantec notified customers about this change in 2014. Our server certificate migration path began in the second quarter of 2014 and the majority of applications were upgraded to SHA-256 successfully. However, we have encountered roadblocks that delayed some applications from upgrading from SHA-1 in 2015. For example, hardware and software vendor support of SHA-256 wasn’t available until as late as third quarter of 2015 in some cases and required 2016 resource commitments for testing and implementation. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B></B></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Sigbjørn’s comment:</FONT></B></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Even if you get a CA to issue SHA-1 certificates in 2016, that doesn't</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">guarantee you that browsers would accept such certificates, browsers</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">will still only allow certificates they believe are in their user's</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">interest.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT FACE="Calibri">Andrea's reply:</FONT></B></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">We understand this point. Internet Explorer (IE) is our standard and we know IE will support SHA-1 certificates through December 31, 2016 which is our deadline. While other browsers are used in our environment, and others may even be standards, those browsers that do not support SHA-1 certificates through 2016 will quickly be retired from our environment.</FONT></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">-- </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Sigbjørn Vik</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="Calibri">Opera Software</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>