On Wed, Oct 5, 2016 at 10:02 PM, Michael Ströder <mich...@stroeder.com> wrote: > Dean Coclin wrote: >> First Data's customers don't use browsers so Firefox can disable SHA-1 >> tomorrow >> and not affect them. > > So why to have your CA certificate trusted in Firefox's cert DB? > >> First Data has asked for a reasonable extension which doesn't affect >> browsers. > > If it does not "affect browsers" why do you need an extension?
The impact on browsers could be broken down into two parts: 1) An expectation they would work with the resulting certificate 2) The risk that someone uses this to create hash collision allowing them to create a different certificate that is used with browsers. I think Dean's point is that #1 is not true here. Presumably these certificates could even be blacklisted by browsers. However #2 is where the risk lies. As we have seen with previous requests, the core challenge here is that many device vendors have chosen to embed a CA trust list in their devices that is based on the list used by web browsers. From my own experience, this is something that continues today with consumer electronics. They take a point in time snapshot of the Mozilla list, embed it in the device, and expect anyone interacting with the device to get a certificate from one of those CAs. This inherently sets up a conflict -- these same device vendors frequently don't release updates for the devices, so the assumption is that the CAs they choose (which is usually a unilateral decision) will continue to issue certs compatible with the device for the lifetime of the device. With the transition to SHA-256 or better, this has become a challenge. I think we can all look back with 20/20 hindsight and say that device vendors should not use the same roots as browsers and that maybe CAs should have created "SHA-1 forever" roots for devices that never plan to update, but that is great hindsight. We have the problem now, so we need an answer. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy