Speaking for myself ... My personal impression is that by the time they are brought up here, far too many issues have easily predicted and pre-determined outcomes.
I know most of the security and key management people for the payment industry very well [1], and they're good people. The discussions are generally one or two orders of magnitude more sophisticated (and far more polite) than what happens in the web ecosystem. Yes, there's a lot of silliness in payments, but that's what happens when you try to run and manage a low cost/high volume payment system with complex interconnected audit requirements from multiple SDOs, implemented by hundreds of companies with their own unique perspectives at global scale. They did not deserve the treatment they received. Perhaps things would have gone better if Symantec wasn't involved, but I was shocked at how the situation was handled. I attempted to speak up a few times in various fora but it was pretty clear that anything that wasn't security posturing wasn't going to be listened to, and finding a practical solution was not on the agenda. It was pretty clear sitting in the room that certain persons had already made up their minds before they even understood what a payment terminal was, how they are managed, and what the costs and risks were for each potential alternative. -Tim [1] whenever you swipe a payment card, the card number is likely encrypted with keys from an algorithm that I was first to implement: https://x9.org/x9news/asc-x9-releases-standard-ensuring-security-symmetric-k ey-management-retail-financial-transactions-aes-dukpt-algorithm/ https://x9.org/wp-content/uploads/2018/03/X9.24-3-2017-Python-Source-2018012 9-1.pdf > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Nick Lamb via dev-security-policy > Sent: Thursday, September 27, 2018 5:34 AM > To: dev-security-policy@lists.mozilla.org > Cc: Nick Lamb <n...@tlrmx.org> > Subject: Re: Google Trust Services Root Inclusion Request > > On Wed, 26 Sep 2018 23:02:45 +0100 > Nick Lamb via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Thinking back to, for example, TSYS, my impression was that my post on > > the Moral Hazard from granting this exception had at least as much > > impact as you could expect for any participant. Mozilla declined to > > authorise the (inevitable, to such an extent I pointed out that it > > would happen months before it did) request for yet another exception > > when TSYS asked again. > > Correction: The incident I'm thinking of is First Data, not TSYS, a different SHA- > 1 exception. > > Nick. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://clicktime.symantec.com/a/1/FEUDWpqLnNV5UXAkVPLzsHo_VYc5BQ > WHYUSdSzjAW5Q=?d=LmNFimUxfoPxKiRYG3qhoRqwu2zE3CPQipLjtaTDkdRpP > KDL2JS8yPFFNKYTcWKtHyZ4rfj1O0ZZS5x3vkArKDCzRP3ZCC07l- > SNhD8B4TkkcnDmXJPFlTmuf9Jbc_AGZOos_RYIwD_0TM7s5q9yJyB2Xw6t5iggY1 > qYMgWdJXSo_R6PJYrWiQCv3l_B3q3HEhjoTqZLi0nRxnuoK_Q5ROt-Zy0xZpG- > sj5lFU44sFfHxhQZR6NBUP6c04vZz2FSHrPV6tFf4x3Sa_hEAhK45l3xKbycZO3xCai > M4pZCF2dAtJ2mTfuGBl9_FgLu3Btz2-siKIw39AtkuiKptp6JWNszrsiDBQb66B- > GVQX7M4F7fgMvyaalslF6KHHg5RFi-uOgM8PlilUBCygn0pZylNrU2thPuy- > Nn9jC&u=https%3A%2F%2Flists.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy