[cabfpub] Proposal of a SHA-1 exception procedure
Liddle, Alan
alan.liddle at trustis.com
Mon Jun 6 14:33:54 UTC 2016
Dear all
Andrew has highlighted the need for SHA-1 in the finance sector.
Can I also point out that a similar situation prevails in the healthcare sector. The inability to obtain SHA-1 certificates has seriously impacted availability of Critical Clinical Systems. I am informed that this has resulted in direct impact on patient care in a number of cases.
Regards
Alan Liddle
Director
Trustis Ltd
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Andrew R. Whalley
Sent: 03 June 2016 21:54
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Proposal of a SHA-1 exception procedure
Greetings,
At the face to face meeting in Bilbao we heard there's still a need for new SHA-1 certs from some sectors, most notably the payment industry, to avoid outages of critical systems with real world impact. We discussed if there was a way we might balance these cases against the vitally important need to ensure the security and safety of the public PKI.
Please take a look at the proposed procedure, attached. It outlines a way for CAs to request an exceptional SHA-1 issuance, including details which would help with a risk management decision. It's not a guaranty that any such issuance would be acceptable, but provides a more structured approach than what's already occurred this year, e.g. with worldpay.
I look forward to comments.
Cheers,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160606/1745ea41/attachment-0003.html>
More information about the Public
mailing list