[cabfpub] Posted on behalf of customer

Dean Coclin Dean_Coclin at symantec.com
Thu Dec 15 22:05:36 UTC 2016

The below was written by FD and I am posting on their behalf:


When we requested our certificates previously, there was general acknowledgment in the forum that December 31 was the most difficult time for these certificates to expire. Even so, our request was limited so that the certificates were set to expire at this time and others were extended into 2017. The only justification for the difference in treatment was unrelated to the application itself. We believe that the coordinated decision to grant different extension dates was inappropriate for the members of the CA/B Forum who are competing entities acting as a standards setting organization. This individualized decision effectively prevents merchants from reaching one provider over another. 


Beyond that consideration, the following factors have changed from our prior request, which we believe justifies reconsideration of the limitation: 


*	We have deployed individual equipment to merchants wherever possible, using all available inventory for those merchants that utilize POS terminals 
*	We have deployed the pulled root as suggested, although this solution has limited effectiveness
*	We have conducted temporary SHA-2 upgrades to drive compliance, and many merchants are reaching out to vendors or need to replace systems


These efforts have helped us upgrade or validate over 90% of devices communicating with our systems can utilized a SHA-256 certificates. 


In many cases, however, merchants need to completely upgrade software that is integrated into other aspects of their business and require additional time to complete the changeover.  In other cases, merchants have not been able to address these issues while they are in this peak sales period, but have indicated that they will, following the holidays. 


The requested extension will not only provide them time to complete this process, but also allow them to transition outside of the peak sales season.




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, December 13, 2016 4:43 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Dean Coclin <Dean_Coclin at symantec.com>; Halliday, Morgan <Morgan.Halliday at firstdata.com>
Subject: Re: [cabfpub] Posted on behalf of customer




I appreciate you sharing this request. While Rich expresses quite a bit of disagreement, it does seem to ignore the many efforts the Forum has taken, both as individual members and collectively, to provide steps for recourse.


It does not feel that this request shares any new information from the original request, but if I have misunderstood, it would be useful to understand what has changed. During the previous discussions, it was pointed out a number of fundamental issues here - highlighted by Gerv in this thread - https://cabforum.org/pipermail/public/2016-September/008484.html


Do you believe there's any new information that disagrees with that summary and conclusion?


On Tue, Dec 13, 2016 at 1:40 PM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:

Rich Salz (rsalz at akamai.com <mailto:rsalz at akamai.com> ) requested I post this. Please note these are Rich's opinions, and while we disagree with quite a bit, at least bears sharing.


-----post begins-----


I understand the desire to remove SHA-1 before it has actually shown true weakness.


I don’t see any concern with allowing special-case issuance, particularly for embedded devices, as long as the notAfter period doesn’t exceed the current policy.  I see no additional cryptographic risk from a 39 month cert that’s been in use for a year, and a 27 month cert that is just being issued.  I’ve been in discussions with various folks who know far more than I do, and nobody has posited any real issue with this, except perhaps that there will be a “rush” to issue SHA1 certs that all expire at the same time, and that this will be a problem for the ecosystem.  I call BS on that.  The webPKI has already shown that it can absorb 90-day certs on the order of millions over months.


If the consortium is not as sanguine as I am, then there are various controls it can exert. For example, it can issue a finite number of tokens (even as low as one) per SHA1 request.  It can mandate that a forum-provided extension (such as the SHA1 hash of an LE cert for the same domain) be included as random data to prevent attacks.


Y’all should do what you need to do, to allow the SYMC/FirstData request.  Not doing so looks like, to me an outsider, as petulance and bullying for no justifiable reason than “because we said so.”


On Mon, Dec 12, 2016 at 9:40 PM, Dean Coclin via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

I have been asked to post this request to the CA/B Forum, and specifically the browsers, to expedite visibility on behalf of a customer. Responses should be addressed to the author, cc’d on this note:


First Data is returning to the CA/B Forum to again request an extension of our SHA-1 certificates.  Over the last year and a half First Data has been working diligently with our Partners and Clients to convert more than a million and a half Clients to be able to use SHA-256 certificates.  Our business has coordinated with its many Bank Partners, Joint Ventures, Software Vendors, Independent Sales Organizations and Direct Merchants and we have made incredible progress. This has been accomplished by intense email and print mail efforts, outbound calling campaigns, software certifications, proactive delivery of new terminals at no cost to the Clients and a series of upgrades to servers that have in some cases have forced Clients to upgrade.  First Data has utilized some of the Forum’s suggestions such as the pulled root solution to alleviate impact and for Clients that this option works, we are limiting the length of time that this will apply.  With all of these efforts we have narrowed down the list of impacted Clients and are making continued best efforts to concentrate on those most impacted.


Despite these efforts, we are very concerned about the impact of the December 31 expiration. We believe that approximately 10% of the merchants utilizing these platforms would not be able to process once our certificates expire. The December 31 expiration offers little opportunity for us to make sure that they have upgraded. These next few weeks, Merchants in our industry are in the busiest and most intense period of the year with the Holiday season at its peak between now and December 31st.  Software vendors and Bank Partners not to mention First Data itself is in a period of a system’s freeze that extends into mid-January and for some software changes are locked down and cannot be made.  With the current expiration of December 31, 2016 there will be significant impact to both Merchants and consumers alike as they will be unable to purchase goods and services and make returns from prior purchases not to mention this will have an impact on New Year’s Eve and New Year’s Day activities.  


We believe that the disparate approach to First Data’s requested extension compared to the extension through February 9, 2017 that was granted to a competitor was inappropriate. There was no technical basis for the distinction. Nonetheless, by granting us a shorter extension the CA/B Forum is essentially prohibiting those merchants that for whatever reason cannot readily update to software that can accommodate a SHA-256 certificate from using the services of First Data or the many banks and other processors that are clients of First Data, while permitting those merchants to utilize the services of our competitors.  

By granting First Data less time than it has our competitors, the CA/B Forum is singling us out, granting to our competitors a critical advantage that it has denied to First Data. While we (and the Banks and others that utilize our platforms) have been reaching out to advise those Merchants that rely on our services as aggressively as we can for some time, the expiration of the certificates during the peak sales season puts us at a distinct disadvantage and harms our Merchants. The impact will primarily be on small, ”mom-and-pop” Merchants that are both technically not sophisticated and which can least afford a disruption to the sales that they rely upon. These Merchants are much less likely to be responsive to our continued letters and calls that we make to them during the peak season as they are focusing on making the sales that they need to carry them through the year. 


Our request is to obtain an extension through February 9, 2017 that will allow us to complete the conversion with as little disruption to these businesses, consumers and commerce in general as possible.  There are processors who are using SHA-1 certificates through May 2017. Singling out First Data for a December 31 expiration  seem unreasonable given the incredible progress we have made to date and the progress we feel can be made after this busiest time of year, we feel it not only fair but prudent.  We welcome the CA/B Forum’s response.




Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161215/b1f16553/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161215/b1f16553/attachment-0001.p7s>

More information about the Public mailing list