[cabfpub] Application for SHA-1 Issuance

[Dean Coclin]

Posted on behalf of TSYS below



-----Original Message-----
From: Gervase Markham
Sent: Wednesday, July 20, 2016 4:57 AM
Subject: Re: [cabfpub] Application for SHA-1 Issuance

On 19/07/16 18:16, Dean Coclin wrote:
> In some cases it would be fair to say that affected customers have
> ignored campaigns, but not in all cases. It has been a difficult task
> to confirm all impacted clients where TSYS does not provide the user
> application. In some of those cases, the process of upgrading can be
> either (or both) time consuming and expensive, resulting in a need for more 
> time to make all required updates.

Leaving aside whether it should have been done earlier, it seems from the 
timeline given that TSYS customers globally were notified of the need to 
upgrade or replace their terminals on 8th December 2015 - which is 7.5 months 
ago.

If TSYS feel it is unreasonable for those customers to have acted to upgrade 
or replace their hardware within 7.5 months, what amount of lead time do TSYS 
think would have been appropriate?

>> All industries do not understand how and where SHA1 certificates are in use 
>> and the many locations some industries have to reach out to in order to 
>> affect the changes.  We think notification timeliness was not the problem; 
>> two years to 18 months would work.  Our opinion is that more periodic 
>> notifications could be sent out after initial notification and industry 
>> forums could sponsor workshops on possible early issue identification and 
>> resolution.  Some in the payment industry use multiple CAs; this presents 
>> an opportunity for future consideration of the CAB Forum to take the 
>> leadership role in sponsoring one of these workshops at security summits, 
>> payment transaction conferences, communication industry conferences, etc., 
>> to get the message out.

If some security issue is discovered with a subset of deployed terminals (for 
example, that they are leaking customer credit card information to attackers 
in some way), on what sort of timeline does TSYS expect customers to upgrade 
to fixed versions of the terminal in that sort of case, in order not to be 
denied service for the protection of consumers?

>> In the event or discovery of a device or merchant that has been compromised 
>> or under investigation for compromise, TSYS will immediately terminate a 
>> merchant's terminal ID(s), Device(s) and Access.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160720/b6829aa9/attachment.bin