[cabfpub] Proposal of a SHA-1 exception procedure

Eric Mill eric at konklone.com
Sun Jun 5 21:06:47 UTC 2016

I strongly suggest that in "Step Three: Response", the document specify
that when an Application Software Supplier grants a partial or full
exception, it must grant it in a reply that CCs public at cabforum.org.

Otherwise, it will be very difficult for any interested party, including
other CAs and Application Software Suppliers, to evaluate the impact and
success of this process.

-- Eric

On Fri, Jun 3, 2016 at 4:53 PM, Andrew R. Whalley <awhalley at google.com>

> Greetings,
> At the face to face meeting in Bilbao we heard there's still a need for
> new SHA-1 certs from some sectors, most notably the payment industry, to
> avoid outages of critical systems with real world impact.  We discussed if
> there was a way we might balance these cases against the vitally
> important need to ensure the security and safety of the public PKI.
> Please take a look at the proposed procedure, attached.  It outlines a way
> for CAs to request an exceptional SHA-1 issuance, including details which
> would help with a risk management decision.  It's not a guaranty that any
> such issuance would be acceptable, but provides a more structured approach
> than what's already occurred this year, e.g. with worldpay.
> I look forward to comments.
> Cheers,
> Andrew
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160605/439421f6/attachment-0003.html>

More information about the Public mailing list