<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:Consolas;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Answers posted on behalf of TSYS below…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi <br><b>Sent:</b> Monday, July 18, 2016 9:54 PM<br><b>Subject:</b> Re: [cabfpub] Application for SHA-1 Issuance<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Jul 18, 2016 at 10:47 AM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>The response I received from TSYS regarding the OU value is as follows:<br><br>"The value at the end of the OU, is an independent cryptographically created<br>identity value used by TSYS Support for the sole purpose of identifying the<br>site where the services terminate."<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm hoping that TSYS might be able to provide a little more context here about why these are needed, because I'm having trouble understanding this reply.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'll note Andrew is not the only person to have raised concerns about this; Nick Lamb (CC'd) raised similar concerns in <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/LM9tkZR9mLM/ACBIRX7GAAAJ">https://groups.google.com/d/msg/mozilla.dev.security.policy/LM9tkZR9mLM/ACBIRX7GAAAJ</a> , <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I can see several possible (likely benign) interpretations for TSYS's reply, but it might be better if they could explain more or provide additional context, so as to reassure the relying public about the purpose of these values.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>></span></i></b><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>See TSYS reply to Andrew R. Whalley @ <a href="https://cabforum.org/pipermail/public/2016-July/008041.html">https://cabforum.org/pipermail/public/2016-July/008041.html</a></span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In addition, understanding the answers to Andrew's other questions - particularly Question 3 - might help avoid the need for this issuance entirely.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><i><span style='color:#1F497D'>>></span></i><span style='color:#1F497D'>As a practice, for the SSL/TLS Payment Gateway Services, TSYS Acquiring generates new Private Keys, passphrases and CSRs for every issuance of SSL/TLS Certificates. This is to avoid unnecessary revocation due to deprecated process, content management/controls and any risks related to key retention and broad re-use.</span></b><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Question 1)<o:p></o:p></p></div><div><p class=MsoNormal>From the timeline in #7, it sounds like TSYS didn't begin planning the SHA-1 transition until 8 months after Symantec's communication (Jan 16, 2015 vs April 1, 2014), and only became aware of remaining systems with potential issues on November 30, 2015 - is that correct? That is, I'm having trouble making sense of the event that occurred on November 30, 2015, and do want to make sure I understand, since it sounds like this may be a key part to understanding how we can do better in the Forum in the future, at least with respect to this situation.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>></span><b><span style='font-size:10.0pt;font-family:"Segoe UI",sans-serif'> </span></b><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>The team responsible for certificate management within the TSYS subsidiary received the notifications but did not understand the full impact and complexity of dealing with POS terminals at diverse locations under varied ownership / responsibility.</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Question 2)<o:p></o:p></p></div><div><p class=MsoNormal>Based on the response to #8, one of the improvements is "Additional lead times to implement solutions from CAs" - but I'm unsure what's meant by that. It sounds like there was already a 20 month lead time for the transition, with an 8 month gap before action was taken, and there were still difficulties. Could TSYS perhaps expand on what was meant by this? If, in the future, the Forum needs to deprecate something, the lead times for that deprecation will necessarily be dictated by the Forum and its deprecation schedule, so it's not entirely clear that we'll get better.<o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>></span><b><span style='font-size:10.0pt;font-family:"Century Gothic",sans-serif'> </span></b><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Additional “lead times” may more accurately be stated that the pervasive and ubiquitous nature of where SHA1 certificates existed and the complexity of dealing with POS terminals at diverse locations under varied ownership / responsibility was not fully understood by TSYS and still may not be understood by the entire CAB Forum membership.</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal>Question 3)<o:p></o:p></p></div><div><p class=MsoNormal>Based on #7, it sounds like Symantec's notification of the SHA-2 transition on April 1, 2014 was the first notice that TSYS had about the need to migrate away from SHA-1. It's also unclear if there were further communications between then and November 30, 2015 (the internal report) and December 15, 2015 (the need to accelerate). Is this correct? I'm asking to try to understand if this issue may have been partly caused by a lack of communication by the CA, a lack of communication by the industry, a lack of clarity in the communications, or something else entirely.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>>></span><b><span style='font-family:"Century Gothic",sans-serif'> </span></b><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>As stated above, all industries do not understand how and where SHA1 certificates are in use. Many do not know who or where to reach out to in order to affect changes. We think notification timeliness was not the problem. Our opinion is that more periodic notifications could have been sent out after initial notification and industry forums should have sponsored workshops on possible early issue identification and resolution. Some in the payment industry use multiple CAs; this presents an opportunity for future consideration of the CAB Forum to take the leadership role in sponsoring one of these workshops at security summits, payment transaction conferences, communication industry conferences, etc., to get the message out.<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p></div></div></div></div></div></body></html>