[cabfpub] SHA1 options for payment processors

[Dean Coclin]

I've been asked by the payment processor ecosystem to explore some options
for assisting with the SHA-1 issue. The scope of this problem is quite large
but there may be a few options for dealing with it which need vetting by
this community. I'll outline them below and would appreciate some
constructive feedback:

 

1. Issue and then immediately revoke a new SHA-1 certificate. 

>>It turns out some payment terminals don't check for revocation and this
would fix a large percentage of them for one North American company.

 

2. Issue a cert with a poison critical extension

>>Some terminals may work with this but we won't know until it can be
tested. This requires issuing a new SHA-1 cert with this extension. Browsers
would see the extension and not allow this certificate to be used. 

 

3. Issue a cert from a new, name constrained intermediate

>> Same as #2 from a testing perspective. Browsers could blacklist this
intermediate.

 

It would be interesting to get feedback from not only the community at large
but specifically browsers to know what to expect from a proposed ballot.

 

Thanks,

Dean

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160306/827d1a1a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160306/827d1a1a/attachment.bin