[cabfpub] Help to support SHA-1 for POS terminals

Rob Stradling rob.stradling at comodo.com
Thu Apr 7 13:55:09 UTC 2016

Doug, do these terminals trust any roots removed from browsers that 
belong to other CAs (i.e. not GlobalSign) ?

On 07/04/16 14:45, Doug Beattie wrote:
> Hi Dean,
> Unfortunately GlobalSign does not have any roots we can pull from the
> current root program, thus the request.
> Doug
> *From:* Dean Coclin [mailto:Dean_Coclin at symantec.com]
> *Sent:* Thursday, April 7, 2016 9:12 AM
> *To:* Doug Beattie <doug.beattie at globalsign.com>; public at cabforum.org
> *Subject:* RE: Help to support SHA-1 for POS terminals
> Do you know which roots the terminals support? We’ve had good success by
> using roots removed from browsers but still exist in terminals.
> Dean
> *From:* public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Doug Beattie
> *Sent:* Thursday, April 07, 2016 6:48 AM
> *To:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* [cabfpub] Help to support SHA-1 for POS terminals
> Per related posts on this topic, I’m forwarding an email from one of our
> customers for a request to issue them 2 SHA-1 SSL certificates which
> will allow them to continuing POS terminals  until they complete their
> SHA-2 migration later this year.
> GlobalSign would like approval to issue 2 SHA-1 SSL certificates to the
> domains below which would expire before 1/1/2017 and which would have 20
> bits of entropy in the serial number field.
> Doug
> ------------------------------------------------------------------------
> *From:*SERGIO EDUARDO SOLARI ANGELO <ssolari at bpd.com.do
> <mailto:ssolari at bpd.com.do>>
> *Sent:* Wednesday, April 6, 2016 6:37:34 PM
> *To:* Doug Beattie; Laila Robak
> *Cc:* vgonzalez at seguridadamerica.com <mailto:vgonzalez at seguridadamerica.com>
> *Subject:* Help to support SHA-1
> Dear Sirs.
> We would like to present the following situation for your consideration.
> Since February 7th 2016 we have established a relationship with
> /Seguridad America/ a representative of Global Sign. Our previous CA was
> /Symantec Verisign/ represented by Cert Superior and we were issued a
> certificate that supports SHA-1 and they failed to inform us that this
> protocol had a deadline.
> We urgently need your consideration for the issuance of a certificate
> that can support SHA-1. If not, we would be under serious risk of losing
> operations in an estimated 13,000 POS terminals which operate under our
> current “stand-alone” platform which would require nationwide onsite
> visits for software upgrades and in some cases hardware replacement
> which would need to undergo a purchasing process.
> Based on previous explanation, we request your consideration and your
> assistance in this urgent matter. We would require 2 certificates that
> support SHA-1 for the rest of calendar year 2016, while we continue the
> acquisition and deployment of the terminals. We estimate that this
> process would conclude by November.
> It’s very critical for Banco Popular to get the certificates that
> support SHA-1 in order to avoid important financial loss and affect
> thousands of Customers that we serve.
> The expiration date of the two certificates of Production is May 22^nd
> 2016.
> The domains of the certificates are:
>      pos.azul.com.do
>      pos2.azul.com.do
> We highly appreciate your consideration of this matter and thank you in
> advance for any assistance you may be able to provide given that we had
> no knowledge of this situation and therefore the scope of its impact.
> Our Best Regards
> */Sergio E. Solari A./*
> Technology Executive Vice president
> - Este mensaje y sus anexos pueden contener información confidencial y
> privilegiada con la intención de que sea utilizada por las personas u
> organizaciones a quienes esta dirigida, por lo que su uso es exclusivo
> para su destinatario. Si usted ha recibido este mensaje por error, favor
> de eliminarlo e informar al remitente del mensaje a través de un correo
> de respuesta. Si este es el caso, le notificamos que queda estrictamente
> prohibida la distribución o reproducción de este e-mail y/o sus anexos.
> Grupo Popular no se hace responsable de las opiniones vertidas en esta
> comunicación que no estén acordes con su quehacer y fines, y que no se
> revistan de un carácter oficial.
> - This message and its enclosures may contain confidential and
> privileged information intended for the use of people and organizations
> to which it is directed and its use is thus limited to its addressee. If
> you have received this message by mistake, please eliminate it and
> inform the sender through a reply message. Should this be the case, you
> are advised that the distribution or reproduction of this e-mail and/or
> any attachments contained herein is strictly forbidden. Grupo Popular is
> not liable for opinions expressed in this message which may not coincide
> with its responsibilities and purpose and which may not express official
> matters.
> Grupo Popular.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list