[cabfpub] Need exception to 1024-bit revocation requirement

[Rick Andrews]

It's come to our attention that we've issued 1024-bit SSL certs to customers that use them with what are called "pre-PCI POS PIN acceptance devices", and that those devices are incapable of working with a 2048-bit key. VISA has stated that those devices may be used until December 31, 2014 (see http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDcQFjAA&url=http%3A%2F%2Fusa.visa.com%2Fdownload%2Fmerchants%2Fretirement-of-pre-pci-attended-pos-pin-entry-devices.pdf&ei=Nd6wUaa2ForXigKb-4BY&usg=AFQjCNHtHptM1jQudRTl8pnMx-MKC7z6fw&sig2=ItouLeVwv8wkQYGpi9nPVQ&bvm=bv.47534661,d.cGE) , and our customers feel that revoking them will cause grave financial harm.

These devices perform the client side of SSL, so there is no browser involved at all. It's unfortunate that these certs chain up to public roots and are therefore subject to Baseline Requirements, but I believe that it was standard practice for CAs to issue all SSL certs from their public roots. In many cases we didn't even know that the customer was using them with a device and not a browser.

Therefore I feel we need an exception to not revoke 1024-bit certs that we determine are used by these devices. Given the environment in which they are used, and given that VISA is forcing customers to phase these out, I feel it would be very low risk to simply let these certs live until their expiration.

I welcome your comments.

-Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130606/48e0be44/attachment-0002.html>