On 24/02/16 02:38, Peter Gutmann wrote: > I'm curious about what's going on here, as you say this is a private PKI, so > why do they need certs from a public CA? Presumably Worldpay is doing this > for B2B comms, so why don't they issue their own certs, and they can keep > using SHA-1 for as long as required? It seems like Worldpay's mistake wasn't > failing to update SHA-1 only devices, it was using a public CA for a private > PKI.
Indeed, but that mistake may have been made 15 or 20 years ago. No CA today would recommend this course of action. However, once hardware is in the field, it's often very hard to change. The fact that this sucks from a security perspective, we would both agree on - but it's true. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
