[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Fri Sep 30 08:56:06 UTC 2016


Hi Dean,

On 29/09/16 19:52, Dean Coclin wrote:
> In accordance with the SHA-1 Exception Request procedure, we hereby submit
> the attached request on behalf of our client. 

I've been considering this application, with reference to
https://github.com/awhalley/docs-for-comment/blob/master/SHA1RequestProcedure.MD
, which I believe is the latest version.

* The answer to question 3 is not complete, in that it does not explain
whether alternative measures such as issuing from a pulled root have
been tried and if so, what the outcome was, and if not, why not.

* It seems pretty amazing that, given that this company was not unaware
of the relevant deadlines, that they only bothered in August 2016 to
check and see how effective their attempts at getting the ecosystem to
upgrade were.

* This seems not to be a case of "we didn't know" or "we weren't told"
by First Data, but a case of "we were told but we didn't listen" by
First Data's community of software vendors, VARs and gateway providers.
This makes me less sympathetic - either these companies have failed to
communicate to their customers the importance of the impending deadline,
or the customers have simply ignored the communications. And they have
no-one to blame but themselves.

* Do the proposed certificates "correspond to an Existing
Certificate..." as outlined in the section "Existing Certificate
Information" in the procedure doc? If they do, can crt.sh links be
provided for the existing certificates? If not, is that because matching
certs existed but were not logged, or because other changes have been
made? If the latter, can it be explained why the additional changes to
the certificate contents are needed? In general, it seems that while the
answers to the initial questions have been provided, the data requested
by this section has not.

* The procedure doc says that validity of exceptional certificates may
not extend beyond 31st December 2016. First Data is asking for 15th
March 2017, which is impermissible as the doc stands. (The CAB Forum has
regularly had discussions about how the end of a calendar year is a bad
time for deadlines; however, in this case, the actual deadline was a
year ago, so I don't think this complaint can be made in this case.)

* Given that above, I wonder whether, if the only way to make the
affected retailers pay attention is if their devices actually stop
working, it's best for that to happen in October/November rather than on
December 31st, in the middle of the Christmas period.

Gerv



More information about the Public mailing list