[cabfpub] Proposal of a SHA-1 exception procedure

[Dean Coclin]

I think you may have missed a thread from a while back that explained the massive challenges faced by the payment card industry in replacing millions of terminals worldwide, many of which are not owned by the processors. I'm not going to rehash that here but suffice to say that while most terminals have been updated/replaced, there are numerous that belong to smaller mom/pop stores, charitable organizations and others that use them less frequently and these have been the most challenging to replace. While progress is being made, the time to complete is beyond the deadlines passed by the Forum. 

No Processor's legal department will allow them to put out a public form saying, "We are using SHA-1". They don't understand why browsers think this is a good idea.



-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Friday, June 17, 2016 11:35 AM
To: Dean Coclin <Dean_Coclin at symantec.com>; Eric Mill <eric at konklone.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Proposal of a SHA-1 exception procedure

On 16/06/16 20:05, Dean Coclin wrote:
> If I said, “Dean Coclin’s Really Valuable Credit Card Processing Center”
> is using a SHA-1 certificate, isn’t that like painting a target on me?

Well, is it?

If “Dean Coclin’s Really Valuable Credit Card Processing Center”
continues to have faith in SHA-1 to protect credit cards, why are they coy about declaring that they are using it? And if they no longer have such faith, a) why are they asking for a new cert, and b) there are plenty of other ways that an attacker could discover that they are using it; leaving the information off here is security by obscurity.

Gerv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160617/0496528b/attachment-0001.p7s>