[cabfpub] Posted on behalf of customer

Gervase Markham gerv at mozilla.org
Fri Dec 16 14:27:54 UTC 2016

<snip lots of stuff which is not new and was known when the original
determination was made>

On 13/12/16 05:40, First Data via Dean Coclin via Public wrote:
> We believe that the disparate approach to First Data’s requested
> extension compared to the extension through February 9, 2017 that was
> granted to a competitor was inappropriate. There was no technical basis
> for the distinction. Nonetheless, by granting us a shorter extension the
> CA/B Forum is essentially prohibiting those merchants that for whatever
> reason cannot readily update to software that can accommodate a SHA-256
> certificate from using the services of First Data or the many banks and
> other processors that are clients of First Data, while permitting those
> merchants to utilize the services of our competitors. 

Well, _everyone's_ SHA-1 certificates which were issued in 2015 or 2016
and which are part of the WebPKI expire at the latest on December 31st
2016. (If that's not so, you should point out those certs, as they were
issued in violation of the BRs and root program requirements.) Those who
have certificates with longer lives than that will have had them issued
in 2014 or earlier. This 'deadline in the middle of the Christmas
period' applies to all the payment processors who have managed this
process and their customers in accordance with the dates published many
years ago, and so have not needed to apply to the CAB Forum for any sort
of extension or exception.

The sole exception is one competitor, TSYS, who managed to get some
certificates expiring 40 days after that due to an oversight. I'm not
concerned about this from a competition perspective; it would surely be
less disruptive for a merchant to obtain updated equipment from First
Data than to obtain new equipment and make a new relationship with TSYS.

It is worth noting that the only organizations who would have a need to
utilise the exception process are those who have failed to plan forward
sufficiently to get certificates issued in 2014 for up to 60 months, or
in 2015 for expiry on December 31st 2016. I'm sure many organizations
did such forward planning; but First Data, TSYS and WorldPay did not.

Giving First Data new certificates at this point would effectively be
saying to all of those payment processors who have managed to make the
massive effort to convert by the published deadline "well, sucks to be
you, doing all that work - you could have just asked for an extension
instead". This is the moral hazard argument deployed last time, and it
is still very forceful.

Not singling out First Data, but it remains deeply disappointing to me
that the payments industry is not leading the process of replacing old
and obsolete crypto with modern, unbroken algorithms, but is having to
be dragged along. It should not be the case that my blog requires better
quality crypto to work than my merchant's connection to his payment
processor; and that would be the case for any payment processor who
continues to use SHA-1 in 2017.

> We have deployed individual equipment to merchants wherever possible,
> using all available inventory for those merchants that utilize POS
> terminals

You have depleted the inventory of terminals and yet not upgraded
everyone? Surely that means that you failed to get enough upgraded
terminals manufactured, so that even if all the remaining merchants had
wanted to upgrade, they couldn't?

What is/was First Data's plan for when all these merchants start
contacting their VARs or whoever on January 1st or 2nd and asking for
updated equipment like, yesterday? Say "sorry, we've deployed them all;
ask again in a month or two"?

> We have conducted temporary SHA-2 upgrades to drive compliance, and
> many merchants are reaching out to vendors or need to replace
> systems

First Data had the option to, and was advised to, take an aggressive
approach to this particular method back when merchants were not in the
Christmas period or a systems freeze. If a merchant's payment processing
stopped working for the first 5 minutes of every hour, I can imagine
them trying to find out why pretty darn quickly. I can't remember if the
conversation where First Data told me about why that wasn't done was a
public or private conversation, but I will just say that I was entirely
unconvinced by the reasoning, and I warned them that this made it more
likely that more merchants would be unconverted by the deadline. It
seems I was correct.

I'm also not convinced that if merchants have been ignoring the calls to
upgrade for the past N months, they will all suddenly have an epiphany
and convert by February 9th. Surely we are going to be back here in
another month and a half? Or is First Data pinky-swearing that it will
definitely let them all get cut off at that point, definitely certainly,
even if no more have upgraded since now?

> There are
> processors who are using SHA-1 certificates through May 2017. 

As noted, if these are part of the Web PKI and were issued in 2015,
please point them out so we can take the CA concerned to task for BR
violations. If they were issued before that, you can congratulate the
payment processor for their foresight.


More information about the Public mailing list