[cabfpub] SHA1 options for payment processors

Ryan Sleevi sleevi at google.com
Thu Mar 10 18:02:15 UTC 2016

On Thu, Mar 10, 2016 at 9:30 AM, Dean Coclin <Dean_Coclin at symantec.com>

> To that end, I would reiterate - to have a productive discussion of this,
> if there is to be a productive discussion at all, these customers need to
> be able to come forward and publicly discuss their issues, so that we can
> make an informed, data-driven decision on a case-by-case basis as to how
> best to mitigate the risks - to the ecosystem, to policies, to these
> customers - rather than trying to generalize it with a papered-over
> solution that allows an untold number of SHA-1 certificates to be issued,
> particularly if it favors a single CA.
> >>I think I answered most of this in my previous email which provided
> history and background.

I appreciate your replies, however, your replies are not productively
adding to the conversation here.

We will not and cannot guarantee an exception, which is what you're saying
is the only way will get these parties to come forward. That's not a
productive debate - that's using your customers' unfortunate decisions to
act as hostages towards a solution. I think if there is opportunity to find
a path forward for these customers, we simply need them coming forward. If
they're unwilling or unable to, then I think the blame lies fully with them
if we're unable to come towards a solution.

> Again, if the forum can say that “if you come forward, we will help you
> find a solution” then I think a productive discussion is worthwhile.

We will explore a solution. We will not guarantee one.

> For example, it sounds like a blacklisted intermediate could be a solution
> (haven’t heard any negatives yet) but the reluctance is this was not meant
> to be used in this use case. Sure, I get that. But when circumstances are
> presented which affect a large population such as this, we have to be
> creative and not rule any out.

Dean, I will not entertain discussing with you why a blacklisted
intermediate cannot be a solution unless and until we have the customers
coming forward, but it certainly cannot be said that you have not heard any
negatives, publicly or privately. That's just disingenuous - I addressed it
in my very first reply. Symantec, of all CAs, should be familiar with the
harm and challenges that blacklisting an intermediate under the current
ecosystem presents - as Symantec's ample cross-signatures and "unique" PKI
have prevented both Google and Microsoft from distrusting your "removed"
root, which continues to issue SHA-1 without consideration of the ecosystem
or harm being done.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160310/2aaae15a/attachment-0003.html>

More information about the Public mailing list