[cabfpub] Proposal of a SHA-1 exception procedure
jodycl at microsoft.com
Mon Jun 6 19:57:23 UTC 2016
I don’t know how to put comments in the Github version, but this doesn’t reflect what we agreed to in Bilbao. In Bilbao, we agreed to a streamlined process in which the requestor would only have to submit the proposed certificate. Therefore, steps 3-9 are not what we discussed, especially 7 because it is essentially “shaming,” and we don’t support that in this process. If you remove that, we agree that this is what we discussed, and we will support this.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Andrew R. Whalley
Sent: Monday, June 6, 2016 10:19 AM
To: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Proposal of a SHA-1 exception procedure
To make commenting easier, I've converted the doc to Markdown and put it on Github:
Pull requests most welcome.
I've incorporated the feedback from Eric about ensuring the list is CCed on any response, and some typos he caught.
(For anybody who's looked at the PDF, the differences from that are minor and shown here<https://github.com/awhalley/docs-for-comment/compare/0d991867eea023b3d60e3485685ee341f2dc2668...ae0261cd723487f44cc6301f939fbc2350e5a381?name=ae0261cd723487f44cc6301f939fbc2350e5a381&short_path=74615fb#diff-74615fb5efdb17b5b1e612614841494b>)
On Fri, Jun 3, 2016 at 1:53 PM, Andrew R. Whalley <awhalley at google.com<mailto:awhalley at google.com>> wrote:
At the face to face meeting in Bilbao we heard there's still a need for new SHA-1 certs from some sectors, most notably the payment industry, to avoid outages of critical systems with real world impact. We discussed if there was a way we might balance these cases against the vitally important need to ensure the security and safety of the public PKI.
Please take a look at the proposed procedure, attached. It outlines a way for CAs to request an exceptional SHA-1 issuance, including details which would help with a risk management decision. It's not a guaranty that any such issuance would be acceptable, but provides a more structured approach than what's already occurred this year, e.g. with worldpay.
I look forward to comments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public