[cabfpub] Help to support SHA-1 for POS terminals

Peter Bowen pzb at amzn.com
Thu Apr 7 16:46:06 UTC 2016


I agree there needs to be a vendor-neutral process.  I just finally hit send on a reply to Dean’s email from a month ago that proposes an option.

A different option that might work for many terminals would be to create a new CA with a cross-cert with an EKU extension that contains a custom key purpose.  I suspect that many terminals do not implement EKU constraining of CAs while browsers so, so that might be a more generic solution.


> On Apr 7, 2016, at 8:31 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> Rob,
> They probably do, but is that relevant to the request?  We would like to provide our customers with the certificates they need.  If there is, or if there is going to be, a process for allowing CAs to issue SHA-1 SSL certificates on a case by case basis from roots that are currently in the Root programs, then we would like to do that.
> Doug
>> -----Original Message-----
>> From: Rob Stradling [mailto:rob.stradling at comodo.com]
>> Sent: Thursday, April 7, 2016 9:55 AM
>> To: Doug Beattie <doug.beattie at globalsign.com>
>> Cc: Dean Coclin <Dean_Coclin at symantec.com>; public at cabforum.org
>> Subject: Re: [cabfpub] Help to support SHA-1 for POS terminals
>> Doug, do these terminals trust any roots removed from browsers that belong to
>> other CAs (i.e. not GlobalSign) ?
>> On 07/04/16 14:45, Doug Beattie wrote:
>>> Hi Dean,
>>> Unfortunately GlobalSign does not have any roots we can pull from the
>>> current root program, thus the request.
>>> Doug
>>> *From:* Dean Coclin [mailto:Dean_Coclin at symantec.com]
>>> *Sent:* Thursday, April 7, 2016 9:12 AM
>>> *To:* Doug Beattie <doug.beattie at globalsign.com>; public at cabforum.org
>>> *Subject:* RE: Help to support SHA-1 for POS terminals
>>> Do you know which roots the terminals support? We've had good success
>>> by using roots removed from browsers but still exist in terminals.
>>> Dean
>>> *From:* public-bounces at cabforum.org
>>> <mailto:public-bounces at cabforum.org>
>>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Doug Beattie
>>> *Sent:* Thursday, April 07, 2016 6:48 AM
>>> *To:* public at cabforum.org <mailto:public at cabforum.org>
>>> *Subject:* [cabfpub] Help to support SHA-1 for POS terminals
>>> Per related posts on this topic, I'm forwarding an email from one of
>>> our customers for a request to issue them 2 SHA-1 SSL certificates
>>> which will allow them to continuing POS terminals  until they complete
>>> their
>>> SHA-2 migration later this year.
>>> GlobalSign would like approval to issue 2 SHA-1 SSL certificates to
>>> the domains below which would expire before 1/1/2017 and which would
>>> have 20 bits of entropy in the serial number field.
>>> Doug
>>> ----------------------------------------------------------------------
>>> --
>>> *From:*SERGIO EDUARDO SOLARI ANGELO <ssolari at bpd.com.do
>>> <mailto:ssolari at bpd.com.do>>
>>> *Sent:* Wednesday, April 6, 2016 6:37:34 PM
>>> *To:* Doug Beattie; Laila Robak
>>> *Cc:* vgonzalez at seguridadamerica.com
>>> <mailto:vgonzalez at seguridadamerica.com>
>>> *Subject:* Help to support SHA-1
>>> Dear Sirs.
>>> We would like to present the following situation for your consideration.
>>> Since February 7th 2016 we have established a relationship with
>>> /Seguridad America/ a representative of Global Sign. Our previous CA
>>> was /Symantec Verisign/ represented by Cert Superior and we were
>>> issued a certificate that supports SHA-1 and they failed to inform us
>>> that this protocol had a deadline.
>>> We urgently need your consideration for the issuance of a certificate
>>> that can support SHA-1. If not, we would be under serious risk of
>>> losing operations in an estimated 13,000 POS terminals which operate
>>> under our current "stand-alone" platform which would require
>>> nationwide onsite visits for software upgrades and in some cases
>>> hardware replacement which would need to undergo a purchasing process.
>>> Based on previous explanation, we request your consideration and your
>>> assistance in this urgent matter. We would require 2 certificates that
>>> support SHA-1 for the rest of calendar year 2016, while we continue
>>> the acquisition and deployment of the terminals. We estimate that this
>>> process would conclude by November.
>>> It's very critical for Banco Popular to get the certificates that
>>> support SHA-1 in order to avoid important financial loss and affect
>>> thousands of Customers that we serve.
>>> The expiration date of the two certificates of Production is May 22^nd
>>> 2016.
>>> The domains of the certificates are:
>>>     pos.azul.com.do
>>>     pos2.azul.com.do
>>> We highly appreciate your consideration of this matter and thank you
>>> in advance for any assistance you may be able to provide given that we
>>> had no knowledge of this situation and therefore the scope of its impact.
>>> Our Best Regards
>>> */Sergio E. Solari A./*
>>> Technology Executive Vice president
>>> CIO
>>> - Este mensaje y sus anexos pueden contener información confidencial y
>>> privilegiada con la intención de que sea utilizada por las personas u
>>> organizaciones a quienes esta dirigida, por lo que su uso es exclusivo
>>> para su destinatario. Si usted ha recibido este mensaje por error,
>>> favor de eliminarlo e informar al remitente del mensaje a través de un
>>> correo de respuesta. Si este es el caso, le notificamos que queda
>>> estrictamente prohibida la distribución o reproducción de este e-mail y/o sus
>> anexos.
>>> Grupo Popular no se hace responsable de las opiniones vertidas en esta
>>> comunicación que no estén acordes con su quehacer y fines, y que no se
>>> revistan de un carácter oficial.
>>> - This message and its enclosures may contain confidential and
>>> privileged information intended for the use of people and
>>> organizations to which it is directed and its use is thus limited to
>>> its addressee. If you have received this message by mistake, please
>>> eliminate it and inform the sender through a reply message. Should
>>> this be the case, you are advised that the distribution or
>>> reproduction of this e-mail and/or any attachments contained herein is
>>> strictly forbidden. Grupo Popular is not liable for opinions expressed
>>> in this message which may not coincide with its responsibilities and
>>> purpose and which may not express official matters.
>>> Grupo Popular.
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>> Office Tel: +44.(0)1274.730505
>> Office Fax: +44.(0)1274.730909
>> www.comodo.com
>> COMODO CA Limited, Registered in England No. 04058690 Registered Office:
>>   3rd Floor, 26 Office Village, Exchange Quay,
>>   Trafford Road, Salford, Manchester M5 3EQ
>> This e-mail and any files transmitted with it are confidential and intended
>> solely for the use of the individual or entity to whom they are addressed.  If you
>> have received this email in error please notify the sender by replying to the e-
>> mail containing this attachment. Replies to this email may be monitored by
>> COMODO for operational or business reasons. Whilst every endeavour is taken
>> to ensure that e-mails are free from viruses, no liability can be accepted and
>> the recipient is requested to use their own virus checking software.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list