[cabfpub] Application for SHA-1 Issuance

Dean Coclin Dean_Coclin at symantec.com
Thu Jul 21 18:23:24 UTC 2016


Answers posted on behalf of TSYS below…

 

From: Ryan Sleevi 
Sent: Monday, July 18, 2016 9:54 PM
Subject: Re: [cabfpub] Application for SHA-1 Issuance

 

 

 

On Mon, Jul 18, 2016 at 10:47 AM, Dean Coclin <Dean_Coclin at symantec.com <mailto:Dean_Coclin at symantec.com> > wrote:

The response I received from TSYS regarding the OU value is as follows:

"The value at the end of the OU, is an independent cryptographically created
identity value used by TSYS Support for the sole purpose of identifying the
site where the services terminate."

 

I'm hoping that TSYS might be able to provide a little more context here about why these are needed, because I'm having trouble understanding this reply.

 

I'll note Andrew is not the only person to have raised concerns about this; Nick Lamb (CC'd) raised similar concerns in https://groups.google.com/d/msg/mozilla.dev.security.policy/LM9tkZR9mLM/ACBIRX7GAAAJ , 

 

I can see several possible (likely benign) interpretations for TSYS's reply, but it might be better if they could explain more or provide additional context, so as to reassure the relying public about the purpose of these values.

 

>>See TSYS reply to Andrew R. Whalley @ https://cabforum.org/pipermail/public/2016-July/008041.html

 

 

In addition, understanding the answers to Andrew's other questions - particularly Question 3 - might help avoid the need for this issuance entirely.

 

>>As a practice, for the SSL/TLS Payment Gateway Services, TSYS Acquiring generates new Private Keys, passphrases and CSRs for every issuance of SSL/TLS Certificates.  This is to avoid unnecessary revocation due to deprecated process, content management/controls and any risks related to key retention and broad re-use.

 

Question 1)

>From the timeline in #7, it sounds like TSYS didn't begin planning the SHA-1 transition until 8 months after Symantec's communication (Jan 16, 2015 vs April 1, 2014), and only became aware of remaining systems with potential issues on November 30, 2015 - is that correct? That is, I'm having trouble making sense of the event that occurred on November 30, 2015, and do want to make sure I understand, since it sounds like this may be a key part to understanding how we can do better in the Forum in the future, at least with respect to this situation.

 

>> The team responsible for certificate management within the TSYS subsidiary received the notifications but did not understand the full impact and complexity of dealing with POS terminals at diverse locations under varied ownership / responsibility.

 

 

Question 2)

Based on the response to #8, one of the improvements is "Additional lead times to implement solutions from CAs" - but I'm unsure what's meant by that. It sounds like there was already a 20 month lead time for the transition, with an 8 month gap before action was taken, and there were still difficulties. Could TSYS perhaps expand on what was meant by this? If, in the future, the Forum needs to deprecate something, the lead times for that deprecation will necessarily be dictated by the Forum and its deprecation schedule, so it's not entirely clear that we'll get better.

 

>> Additional “lead times” may more accurately be stated that the pervasive and ubiquitous nature of where SHA1 certificates existed and the complexity of dealing with POS terminals at diverse locations under varied ownership / responsibility was not fully understood by TSYS and still may not be understood by the entire CAB Forum membership.

 

Question 3)

Based on #7, it sounds like Symantec's notification of the SHA-2 transition on April 1, 2014 was the first notice that TSYS had about the need to migrate away from SHA-1. It's also unclear if there were further communications between then and November 30, 2015 (the internal report) and December 15, 2015 (the need to accelerate). Is this correct? I'm asking to try to understand if this issue may have been partly caused by a lack of communication by the CA, a lack of communication by the industry, a lack of clarity in the communications, or something else entirely.

 

>> As stated above, all industries do not understand how and where SHA1 certificates are in use.  Many do not know who or where to reach out to in order to affect changes.  We think notification timeliness was not the problem.  Our opinion is that more periodic notifications could have been sent out after initial notification and industry forums should have sponsored workshops on possible early issue identification and resolution.  Some in the payment industry use multiple CAs; this presents an opportunity for future consideration of the CAB Forum to take the leadership role in sponsoring one of these workshops at security summits, payment transaction conferences, communication industry conferences, etc., to get the message out.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160721/154ae95b/attachment-0007.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160721/154ae95b/attachment-0003.p7s>


More information about the Public mailing list