[cabfpub] Need exception to 1024-bit revocation requirement

Rick Andrews Rick_Andrews at symantec.com
Fri Jun 7 08:54:36 MST 2013


Gerv,

I haven't yet determined if these devices can handle some other key size. Good idea. 

Your understanding is correct. However, I should add that one customer has told us that they have a letter from Visa allowing them to continue to use these pre-PCI devices until 12/31/15 (one more year). Unfortunately, their legal team doesn't wish to share that document with us. 

I agree with you that the greater risk is to users of these devices, not so much to users of web PKI.

Please try to see this from the customer's perspective. As far as they are concerned, Visa is the controlling entity for the use of these devices. Then the CABF comes along and tells them they have to phase them out sooner because of risk to browser users. 

-Rick

On Jun 7, 2013, at 3:10 AM, "Gervase Markham" <gerv at mozilla.org> wrote:

> On 06/06/13 22:51, Ryan Sleevi wrote:
>> Thanks for confirming that these certs do present possible risk to
>> the Web PKI and the users that rely upon it.
> 
> Can we evaluate that risk for a moment?
> 
> AIUI, the situation is that there are Visa or bank-owned servers out
> there to which these devices connect using an SSL connection, and the
> devices require a 1024-bit server cert.
> 
> (Rick: have you checked whether they can deal with 1536 or some other
> intermediate size?)
> 
> The risk is that 1024-bit certs become factorable. If that happens, then
> attackers would be able to break into these connections and steal the
> credit card data of customers purchasing from merchants who are still
> using these terminals. This is not a risk to web users in the course of
> their using the web, but a risk to those customers.
> 
> This risk is greater than it should be for 1 year - the time between the
> BR 1024-bit deadline and Visa's deadline before which these merchants
> will have needed to buy new equipment anyway.
> 
> Requiring the certs be revoked basically means telling Visa that it will
> need to change the deadline from Dec 31st 2014 to Dec 31st 2013 - in
> other words, businesses who thought they had 18 months to replace their
> equipment now have 6. Businesses have been working towards the current
> Visa deadline for 3 years.
> 
> Have I got this right so far?
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list