On 24/02/16 14:40, Gervase Markham wrote:
Hi Rob,
These are extremely good questions. I have some of the answers.
On 24/02/16 10:16, Rob Stradling wrote:
Gerv, I would really like to see more technical details about the PKI
software in WorldPay's terminals before offering an opinion on whether
or not an limited exception should be granted. Perhaps we can find an
alternative technical solution for WorldPay that would have less (or
even no) impact on the Web PKI. With that in mind, some questions...
One trouble is that they have a heterogeneous mix of 200,000+ terminals,
and so asking about "the software in them" is very difficult. Many are
old, some have lost technical documentation. (Yes, this is not a good
situation. I know.) This is why anything other than a reissuance from
the same root of a near-identical cert is quite likely to break something.
These terminals are being cycled out of use, but the industry deadline
for the latest EMV standards is mid-2017, which doesn't match up with
the Web PKI SHA-1 deadline.
Which roots do these WorldPay terminals trust?
See above - different ones trust different roots. 90% trust a root which
has been removed from browser root stores, but 10% do not - so if they
use that solution, about 10% of terminals will break.
It's very unfortunate that the technical documentation for some of these
terminal models has been lost. However, given that WorldPay have been
able to do that 90%/10% analysis, presumably they do have a good idea of
which root(s) are trusted by which terminal models.
Could we please have a list of which roots are trusted by which terminal
models?
Do the 10% not trust the yanked VeriSign root because they're newer than
the 90%? If so, presumably these are models for which the technical
documentation has not been lost...so...are the 10% sufficiently new that
they do support SHA-2?
Are any WorldPay representatives following this thread and able/willing
to answer questions?
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
