[cabfpub] Proposal of a SHA-1 exception procedure

[Ryan Sleevi]

On Fri, Jun 17, 2016 at 9:46 AM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> No Processor's legal department will allow them to put out a public form
> saying, "We are using SHA-1". They don't understand why browsers think this
> is a good idea.
>

Dean,

If you're going to make broad, sweeping, absolute statements, then it would
help if you - or the customers you're claiming to represent - would explain
why. If your goal is to suggest that Google reconsider the need for
transparency, then you - and those customers - have an obligation to
explain why that is. Statements like the above, and statements like you've
made on the thread, objectively do not help further the discussion, and
only serve to postpone and delay any further consideration of SHA-1
allowances.

If your goal is to support your customers, you're only hurting them with
statements like this.

A useful furtherance of the discussion, rephrasing what yous aid, might be
"It's unlikely that payment processor's legal department will allow them to
publicly admit "We are using SHA-1", because of [concerns X, Y, Z]."

Of course, to also reiterate the previous discussions, "because security
and privacy" aren't really concrete or actionable concerns - they're
opaque, vague, and broad. They don't help inform the discussion about the
tradeoffs - about the need for ecosystem transparency.

If the proposition is that "Admitting you use SHA-1 is to put yourself at
risk", then please consider what you're asking - that the entire Internet
trust ecosystem accept the risk on behalf of that payment processor (and
those like them), that need SHA-1 certificates. That's a completely
unreasonable request, without further details.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160617/6a50981f/attachment-0003.html>