On 24/02/16 19:27, Jeremy Rowley wrote: > I believe the concern is that Worldpay is asking for an exception by saying, > "We've tried 'things' and they didn't work - can we please have a SHA1 > cert?" We don't know what these 'things' they've tried are or whether there > is an alternative. Lots of customers have asked for SHA1 certs on the > premises that they need them because of old devices. Is this one special? > Perhaps, but the alternatives should first be considered.
I believe that large chunks of Worldpay got this right; one part of the business "didn't get the memo" and missed the deadline for cert renewal at the end of the year. Once they found out, a short time ago, they tried the "non-BR root" method but that only covered 90% of devices due to divergent root stores. (200,000 devices use these servers, so 20,000 would still be affected if they went that way - that's where the numbers we have been using come from.) > When creating OneCRL, Mozilla expressed concerns about the potential size of > the CRL if end entity certs were included. Now, they are being asked to > include 10,000 end-entity certs in OneCRL (which are not even revoked). Sorry if this wasn't clear originally; they don't need one cert per terminal, they need one cert per receiving server. The number of certs concerned is nine (9). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy