[cabfpub] Application for SHA-1 Issuance

Dean Coclin Dean_Coclin at symantec.com
Wed Jul 27 17:19:04 UTC 2016 

I saw an email from Marc Stevens on the Mozilla list a few days ago which 
indicated he tested both the original set of TBS certs and the 2nd set and did 
not see any issues.

(See: 
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/sku5NYXdpOM)



Are there other questions that folks would like to ask or concerns that can be 
addressed?



Symantec is awaiting approval from browsers to schedule the signing ceremony 
this weekend if possible.



Thanks,
Dean



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On 
Behalf Of Ryan Sleevi
Sent: Monday, July 25, 2016 4:26 PM
To: Rob Stradling <rob.stradling at comodo.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Application for SHA-1 Issuance







On Mon, Jul 25, 2016 at 2:20 PM, Rob Stradling <rob.stradling at comodo.com 
<mailto:rob.stradling at comodo.com> > wrote:

IINM, both Gerv and Ryan indicated (or at least strongly implied) that
rigid construction was a prerequisite for their (Mozilla's and Google's)
approval of TSYS's request.  Did I misread something?



>From https://cabforum.org/pipermail/public/2016-July/008096.html



"Certificates whose contents are entirely predictable or in line with

precedent would also be acceptable; but it seemed like there were
several questions about that floating around, and doing the serial
numbers by strict construction makes them all moot. If you want to try
dealing with all the questions about the contents instead, you are
welcome to try."



Also, I don't see the relevance of "strong consensus".  AIUI, there must
be unanimous agreement.  If just one root program operator rejects
TSYS's request, then you can't issue the SHA-1 certs.  Similarly, if
just one root program operator says rigidly constructed serial numbers
are required, then you can't use random serial numbers.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160727/9e2f131a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160727/9e2f131a/attachment-0001.p7s>

More information about the Public mailing list