Peter Gutmann schrieb:
Wouldn't it be easier to issue their own certs (or roll out equipment which relies on WorldPay certs), at which point they could follow their own policies? Their problem is that their (inexplicable) use of a public CA for a private PKI has meant they're now being held hostage to the CAB forum's cert policy.
Using private PKIs for such stuff isn't risk-free, as software vendors are confused about the security properties of their root store.
Nice example from the consumer electronics world: Android >= 4.4 is quite resistant against private PKIs. You cannot import your own/your corporate private Root CAs for Openvpn- or Wifi access point security without getting persistent, nasty, user-confusing warning messages: "A third party is capable of monitoring your network activity".
http://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/ Regards, Jürgen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy