[cabfpub] SHA-1 exception request
Dean_Coclin at symantec.com
Tue Oct 18 16:10:55 MST 2016
Although I had conversations with some folks over the meeting break today, I'm
going to post my request here to follow the procedure on the public list.
It's become abundantly clear that further attempts to get approval from 2 of
the 4 browsers for a date beyond December 31st isn't going to result in the
requested change. So let me switch gears and discuss what's been approved by
Mozilla and Google on the public list so far.
Approval has been granted for issuance of the requested First Data certs (from
the TBS certs generated for review) with the only difference being the
expiration dates. However, this will require generating new TBS certs for
As the group knows, First Data's certificate expires on Oct 27th. They can't
wait until that day to install (for obvious reasons of testing, and insuring
no problems with the certs or their installation that would affect 300K
merchants) and they have scheduled an installation window later this week. We
don't really have time to generate new TBS certs with the approved expiration
dates and submit them for cryptanalysis testing (per the procedure).
I would like to suggest an alternative approach for consideration by the
Given that the current TBS certs have passed cryptanalysis, could you allow
the issuance of the TBS certs as presented, and mandate that the CA revoke
certs on 12/31 (or the next business day). This is an auditable event and
browsers can push that revocation out to their clients via their own methods.
I believe this meets the intent of the affected browsers by protecting their
users after that date. It also avoids disruption to First Data clients on
I ask that this compromise suggestion be given fair consideration in light of
the tight timing.
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, October 18, 2016 2:00 PM
To: Dean Coclin <Dean_Coclin at symantec.com>; CABFPub <public at cabforum.org>
Cc: Halliday, Morgan <Morgan.Halliday at firstdata.com>; Sidoriak, Evan S
<Evan.Sidoriak at firstdata.com>
Subject: Re: [cabfpub] SHA-1 exception request
We discussed this this morning, but this draft was half-written, so:
On 13/10/16 21:58, Dean Coclin wrote:
> Thank you for the prompt response to First Data's application. While
> we appreciate the approval and await responses from other browsers,
> I'd like to point out that this deadline doesn't really help First
> Data and the merchants much.
It gives them up to an extra two months to fix things, if they want it.
If having everything break on 31st December is a problem, First Data always
have the option of permanently upgrading their infrastructure to
SHA-2 on a more convenient date earlier than that. They have control over when
they stop using SHA-1.
So it's wrong to characterise this as a "December 31st cutoff".
> First Data requested an expiration in March and while I understand
> Mozilla's reluctance to approve a date that late, I was hoping they
> would at least receive equal treatment as TSYS with a February 9th
TSYS was a bit unfortunate - not sure how that happened. I seem to remember I
was moving house at the time, and conditioned my acceptance on Google's
acceptance. I want to be consistent, and now I'm faced with the choice of
being consistent with policy or with precedent. Having weighed this up, the
moral hazard argument is most weighty. Other companies have bust a gut to get
this done by the end of the year. And it would be ridiculous that, come 1st
January, my blog would be required to have better security in order to work
than a merchant handling my credit card.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5723 bytes
Desc: not available
More information about the Public