[cabfpub] Proposal of a SHA-1 exception procedure

Dean Coclin Dean_Coclin at symantec.com
Fri Jun 17 19:02:27 UTC 2016

Perhaps I should offer up again one of the representatives of these companies 
or trade associations the opportunity to present on our next call. This will 
give you and others the chance to ask your questions directly w/o this back 
and forth which is not productive. This dialog will be recorded in our minutes 
so there will be no opportunity for anything other than a transparent 
discussion. You can hear firsthand what I stated below (which I quoted 
directly from them).

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, June 17, 2016 12:58 PM
To: Dean Coclin <Dean_Coclin at symantec.com>
Cc: Gervase Markham <gerv at mozilla.org>; CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Proposal of a SHA-1 exception procedure

On Fri, Jun 17, 2016 at 9:46 AM, Dean Coclin <Dean_Coclin at symantec.com 
<mailto:Dean_Coclin at symantec.com> > wrote:

No Processor's legal department will allow them to put out a public form 
saying, "We are using SHA-1". They don't understand why browsers think this is 
a good idea.


If you're going to make broad, sweeping, absolute statements, then it would 
help if you - or the customers you're claiming to represent - would explain 
why. If your goal is to suggest that Google reconsider the need for 
transparency, then you - and those customers - have an obligation to explain 
why that is. Statements like the above, and statements like you've made on the 
thread, objectively do not help further the discussion, and only serve to 
postpone and delay any further consideration of SHA-1 allowances.

If your goal is to support your customers, you're only hurting them with 
statements like this.

A useful furtherance of the discussion, rephrasing what yous aid, might be

"It's unlikely that payment processor's legal department will allow them to 
publicly admit "We are using SHA-1", because of [concerns X, Y, Z]."

Of course, to also reiterate the previous discussions, "because security and 
privacy" aren't really concrete or actionable concerns - they're opaque, 
vague, and broad. They don't help inform the discussion about the tradeoffs - 
about the need for ecosystem transparency.

If the proposition is that "Admitting you use SHA-1 is to put yourself at 
risk", then please consider what you're asking - that the entire Internet 
trust ecosystem accept the risk on behalf of that payment processor (and those 
like them), that need SHA-1 certificates. That's a completely unreasonable 
request, without further details.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160617/09e82d6a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160617/09e82d6a/attachment-0001.p7s>

More information about the Public mailing list