[cabfpub] Proposal of a SHA-1 exception procedure

Liddle, Alan alan.liddle at trustis.com
Mon Jun 6 14:33:54 UTC 2016

Dear all

Andrew has highlighted the need for SHA-1 in the finance sector.
Can I also point out that a similar situation prevails in the healthcare sector.  The inability to obtain SHA-1 certificates has seriously impacted availability of Critical Clinical Systems. I am informed that this has resulted in direct impact on patient care in a number of cases.

Alan Liddle
Trustis Ltd

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Andrew R. Whalley
Sent: 03 June 2016 21:54
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Proposal of a SHA-1 exception procedure


At the face to face meeting in Bilbao we heard there's still a need for new SHA-1 certs from some sectors, most notably the payment industry, to avoid outages of critical systems with real world impact.  We discussed if there was a way we might balance these cases against the vitally important need to ensure the security and safety of the public PKI.

Please take a look at the proposed procedure, attached.  It outlines a way for CAs to request an exceptional SHA-1 issuance, including details which would help with a risk management decision.  It's not a guaranty that any such issuance would be acceptable, but provides a more structured approach than what's already occurred this year, e.g. with worldpay.

I look forward to comments.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160606/1745ea41/attachment-0003.html>

More information about the Public mailing list