<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Perhaps I should offer up again one of the representatives of these companies or trade associations the opportunity to present on our next call. This will give you and others the chance to ask your questions directly w/o this back and forth which is not productive. This dialog will be recorded in our minutes so there will be no opportunity for anything other than a transparent discussion. You can hear firsthand what I stated below (which I quoted directly from them). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, June 17, 2016 12:58 PM<br><b>To:</b> Dean Coclin <Dean_Coclin@symantec.com><br><b>Cc:</b> Gervase Markham <gerv@mozilla.org>; CABFPub <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] Proposal of a SHA-1 exception procedure<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Jun 17, 2016 at 9:46 AM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>No Processor's legal department will allow them to put out a public form saying, "We are using SHA-1". They don't understand why browsers think this is a good idea.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Dean,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If you're going to make broad, sweeping, absolute statements, then it would help if you - or the customers you're claiming to represent - would explain why. If your goal is to suggest that Google reconsider the need for transparency, then you - and those customers - have an obligation to explain why that is. Statements like the above, and statements like you've made on the thread, objectively do not help further the discussion, and only serve to postpone and delay any further consideration of SHA-1 allowances.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If your goal is to support your customers, you're only hurting them with statements like this.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A useful furtherance of the discussion, rephrasing what yous aid, might be<o:p></o:p></p></div><div><p class=MsoNormal>"It's unlikely that payment processor's legal department will allow them to publicly admit "We are using SHA-1", because of [concerns X, Y, Z]."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Of course, to also reiterate the previous discussions, "because security and privacy" aren't really concrete or actionable concerns - they're opaque, vague, and broad. They don't help inform the discussion about the tradeoffs - about the need for ecosystem transparency.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If the proposition is that "Admitting you use SHA-1 is to put yourself at risk", then please consider what you're asking - that the entire Internet trust ecosystem accept the risk on behalf of that payment processor (and those like them), that need SHA-1 certificates. That's a completely unreasonable request, without further details.<o:p></o:p></p></div></div></div></div></div></body></html>