[cabfpub] SHA1 options for payment processors

Thu Mar 10 19:00:11 MST 2016

More replies below:

I appreciate your replies, however, your replies are not productively adding to the conversation here.

>>Perhaps not for you but there are a few others reading this email thread which may have a different opinion ;-)

We will not and cannot guarantee an exception, which is what you're saying is the only way will get these parties to come forward. That's not a productive debate - that's using your customers' unfortunate decisions to act as hostages towards a solution. I think if there is opportunity to find a path forward for these customers, we simply need them coming forward. If they're unwilling or unable to, then I think the blame lies fully with them if we're unable to come towards a solution.

Again, if the forum can say that “if you come forward, we will help you find a solution” then I think a productive discussion is worthwhile. 

We will explore a solution. We will not guarantee one.

>>I don’t think I asked for a “guarantee”, only an expression of assistance. To date, the communication has been fairly negative which doesn’t exude much faith from the requestors. But I’m curious what “solution” will be explored given all the information I’ve provided. I don’t know what other information you expect to gain by talking directly to the end users. The “what, when, why and how” asked in the initial email have been answered. All you’re missing is the “who”.   It could be Big Bank of the East or Contoso Corp. How does that help determine a solution? Are you saying the name of the company will dictate the solution? Whatever the solution is, all parties will agree to publish the cert in CT and other lists (as previously mandated by Mozilla) so everyone will know the domain.  Having said that, I will see what I can do to have a “guest speaker” join our call next week as a first step.

On a similar topic, today I was on a call with another affected party that was using a SHA-1 cert for server to server communication in a mission critical application in which the cert expires next week. No browser is involved. Again, these folks aren’t attune to this issue as those in this forum and thought that since it didn’t involve browsers, they could get a SHA-1 certificate this year. His argument was that he could get a SHA-1 code signing cert, why not server to server. He was shocked to learn that we couldn’t do that and has no idea how to solve this for one of the largest banks in the world. I bring this up only to highlight the extent of this issue. 

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160310/c1363eb3/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160310/c1363eb3/attachment.bin 