[cabfpub] SHA1 options for payment processors

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sun Mar 13 16:40:44 MST 2016 

Trend Micro doesn’t have a dog in this fight – we have no customers asking us for SHA-1 certs – but I think the conversation has gone in the wrong direction.

Dean has proposed a general procedure with objective criteria by which a CA may issue SHA-1 certs that expire by Dec. 31, 2016, and which is intended to ensure that these interim SHA-1 certs will NOT be trusted by any of the browsers (and which includes some fairly ingenious methods for ensuring they will not be trusted).  In fact, this creates greater user security than if the customers managed to purchase one year SHA-1 certs on Dec. 31, 2015, which they could have done, so already Dean’s proposal is an improvement on the existing security situation for SHA-1 certs.

Dean’s draft criteria included some objective business and technical requirements similar to what we already have for BR 6.3.2, which carves out limited, objective  circumstances under which a CA can issue a 60-month DV or OV cert instead of limiting the cert to 39 months (basically, BR 6.3.2 requires the CA to confirm that the customer has a legacy app that will fail with a cert of less than 60 months validity period and where there is no known security risk to Relying Parties, etc.).   That is a very good approach to a situation like this.

Early in this discussion, someone made a comment along the lines of “I don’t want to approve any general criteria for allowing these interim, untrusted SHA-1 certs, instead I want to approve such certs on a case-by-case basis for each and every applicant, who must make its case to me.”  I think that’s a really bad approach.

First, what more do we really need to know?  It has already been explained to us that there are many non-browser devices whose makers decided in the 1990s (and without consulting with CAs) to create a limited trusted root store for the devices from existing roots used only to issue SHA-1 certs, and these devices can’t be updated to accept SHA-256 certs – that is clear enough.

We already know these devices could have gotten a SHA-1 cert in December 2015 from CAs that would have been good through Dec. 31, 2016 (and so could have avoided asking for any special consideration), but these device makers and owners were not aware of or maybe did not pay attention to the deadline, in part because they do not provide browser-based devices and so do not closely follow the work of the CA-Browser Forum.

We already know that CAs sent multiple notices and warnings to their customers about the impending SHA-1 deadline, and as with most things some customers understood the warnings and acted, while others did not – that’s typical for all companies, and we know that even some browsers made mistakes in implementation of the SHA-1 deadline.  That’s human nature.

There used to be a pathetic TV show called “Queen for a Day” in which truly unfortunate women would go on TV and plead their case why they should win the prize (a washing machine, a wheelchair, etc.), revealing the most pitiful details of their lives to try to move the audience.  At the end, the show’s host would hold his hand above the head of each woman and a machine would measure the level of audience applause; the woman who told the most awful personal story would win the prize, and the others would win nothing after their embarrassing confessions.

There have been some arguments on this thread for making customers who have a dire need for emergency SHA-1 certs to keep their non-browser devices working through the end of 2016 (and who could have purchased SHA-1 certs through last December to do that with no trouble!) to go through for a very public process to shame the customers and scold them for missing the deadline.  To what purpose?  What else will we learn by making Company X or Bank Y tell us “We have ATMs in 5,000 locations, and the doofus who orders certs for them didn’t know about or ignored the December 2015 deadline.”  OK, now what?  Are the members of the CAB Forum really in a position to judge or second guess this situation?  I know I’m not.

So instead of making time for special pleading on a case-by-case basis from customers who have a desperate need for these SHA-1 certs (which will be untrusted in the browsers), let’s focus instead on approving a set of objective criteria for allowing such certs that can then be implemented by those CAs who want to accommodate their customers.  And let’s not waste time demanding some sort of public “People’s Court” where each and every customer has to reveal the details of its problem – that’s not going to add useful information that we can evaluate, and is not really a very nice way to treat people.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160313/036d2364/attachment.html

More information about the Public mailing list