[cabfpub] SHA-1 exception request
gerv at mozilla.org
Mon Oct 10 09:57:26 MST 2016
On 10/10/16 17:36, Peter Bowen wrote:
> According to Visa’s website, POS terminal vendors must cease selling
> devices that don’t support SHA-2 by April 30, 2017 (the “Device
> Expiration Date”). However Visa has not set sunset date for such
> devices. Their usage requirement says “Allowed if purchased prior to
> expiration date”.
My word. I guess I now know why they call them "POS" terminals.
I note that in January 2011, NIST recommended that "SHA-1 shall not
be used for digital signature generation after December 31, 2013."
Nearly six years after that recommendation, and three years after the
deadline, Visa has still not set a date when the security of our payment
transaction data will stop relying on this algorithm.
 Special Publication 800-131A
More information about the Public