It's 9 certs. They go on the head end, the gateway. The deployed devices have a finite trust list that relies on certain roots. Getting new EEs on 10k devices that don't auto-enroll is physically impossible in a merchant network with no OTA/OTW path. Plus if the issue was TLS mutual auth from the client, presumably root store trust reconfiguration at the 9 servers could be done while holding lunch in the other hand.
Kind regards, Steve On Wed, Feb 24, 2016 at 2:27 PM Jeremy Rowley <jeremy.row...@digicert.com> wrote: > Technically, Worldpay had a lot longer than four days to figure this > out.... > It's not like SHA1 issues jumped out from a behind a bush to scare > everyone. > > > I believe the concern is that Worldpay is asking for an exception by > saying, > "We've tried 'things' and they didn't work - can we please have a SHA1 > cert?" We don't know what these 'things' they've tried are or whether there > is an alternative. Lots of customers have asked for SHA1 certs on the > premises that they need them because of old devices. Is this one special? > Perhaps, but the alternatives should first be considered. > > When creating OneCRL, Mozilla expressed concerns about the potential size > of > the CRL if end entity certs were included. Now, they are being asked to > include 10,000 end-entity certs in OneCRL (which are not even revoked). > This > is contrary to their previous policy decision to keep OneCRL small. 10k > certs isn't big. 10k certs for ONE customer is significant. > > Jeremy > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley > =digicert.com@lists.mozilla > .org] On Behalf Of Steve > Sent: Wednesday, February 24, 2016 7:43 AM > To: Gervase Markham; Eric Mill; > mozilla-dev-security-pol...@lists.mozilla.org > Cc: Kathleen Wilson; Richard Barnes > Subject: Re: Proposed limited exception to SHA-1 issuance > > Given OCSP support in the terminal software, this isn't likely to be > archaic > firmware open to ignoring criticality. Since money is flowing here, audits > would scream at even older hash options or intentional defect exploitation. > > From experience securing an application that moved 30% of all cash that > changed hands in a business day, I can state that no financial services > company of this scale will expose their network to an untested certificate > chain. Four days are not enough time to test alternate chains or > certificate designs. > > Kind regards, > Steve > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
