[cabfpub] Application for SHA-1 Issuance

Gervase Markham gerv at mozilla.org
Wed Jul 20 08:57:00 UTC 2016


On 19/07/16 18:16, Dean Coclin wrote:
> In some cases it would be fair to say that affected customers have ignored 
> campaigns, but not in all cases. It has been a difficult task to confirm all 
> impacted clients where TSYS does not provide the user application. In some of 
> those cases, the process of upgrading can be either (or both) time consuming 
> and expensive, resulting in a need for more time to make all required updates.

Leaving aside whether it should have been done earlier, it seems from
the timeline given that TSYS customers globally were notified of the
need to upgrade or replace their terminals on 8th December 2015 - which
is 7.5 months ago.

If TSYS feel it is unreasonable for those customers to have acted to
upgrade or replace their hardware within 7.5 months, what amount of lead
time do TSYS think would have been appropriate?

If some security issue is discovered with a subset of deployed terminals
(for example, that they are leaking customer credit card information to
attackers in some way), on what sort of timeline does TSYS expect
customers to upgrade to fixed versions of the terminal in that sort of
case, in order not to be denied service for the protection of consumers?

Gerv



More information about the Public mailing list