Doug, I agree there needs to be a vendor-neutral process. I just finally hit send on a reply to Dean’s email from a month ago that proposes an option.
A different option that might work for many terminals would be to create a new CA with a cross-cert with an EKU extension that contains a custom key purpose. I suspect that many terminals do not implement EKU constraining of CAs while browsers so, so that might be a more generic solution. Thanks, Peter > On Apr 7, 2016, at 8:31 AM, Doug Beattie <[email protected]> wrote: > > Rob, > > They probably do, but is that relevant to the request? We would like to > provide our customers with the certificates they need. If there is, or if > there is going to be, a process for allowing CAs to issue SHA-1 SSL > certificates on a case by case basis from roots that are currently in the > Root programs, then we would like to do that. > > Doug > >> -----Original Message----- >> From: Rob Stradling [mailto:[email protected]] >> Sent: Thursday, April 7, 2016 9:55 AM >> To: Doug Beattie <[email protected]> >> Cc: Dean Coclin <[email protected]>; [email protected] >> Subject: Re: [cabfpub] Help to support SHA-1 for POS terminals >> >> Doug, do these terminals trust any roots removed from browsers that belong to >> other CAs (i.e. not GlobalSign) ? >> >> On 07/04/16 14:45, Doug Beattie wrote: >>> Hi Dean, >>> >>> Unfortunately GlobalSign does not have any roots we can pull from the >>> current root program, thus the request. >>> >>> Doug >>> >>> *From:* Dean Coclin [mailto:[email protected]] >>> *Sent:* Thursday, April 7, 2016 9:12 AM >>> *To:* Doug Beattie <[email protected]>; [email protected] >>> *Subject:* RE: Help to support SHA-1 for POS terminals >>> >>> Do you know which roots the terminals support? We've had good success >>> by using roots removed from browsers but still exist in terminals. >>> >>> >>> Dean >>> >>> *From:* [email protected] >>> <mailto:[email protected]> >>> [mailto:[email protected]] *On Behalf Of *Doug Beattie >>> *Sent:* Thursday, April 07, 2016 6:48 AM >>> *To:* [email protected] <mailto:[email protected]> >>> *Subject:* [cabfpub] Help to support SHA-1 for POS terminals >>> >>> Per related posts on this topic, I'm forwarding an email from one of >>> our customers for a request to issue them 2 SHA-1 SSL certificates >>> which will allow them to continuing POS terminals until they complete >>> their >>> SHA-2 migration later this year. >>> >>> GlobalSign would like approval to issue 2 SHA-1 SSL certificates to >>> the domains below which would expire before 1/1/2017 and which would >>> have 20 bits of entropy in the serial number field. >>> >>> Doug >>> >>> ---------------------------------------------------------------------- >>> -- >>> >>> *From:*SERGIO EDUARDO SOLARI ANGELO <[email protected] >>> <mailto:[email protected]>> >>> *Sent:* Wednesday, April 6, 2016 6:37:34 PM >>> *To:* Doug Beattie; Laila Robak >>> *Cc:* [email protected] >>> <mailto:[email protected]> >>> *Subject:* Help to support SHA-1 >>> >>> Dear Sirs. >>> >>> We would like to present the following situation for your consideration. >>> >>> Since February 7th 2016 we have established a relationship with >>> /Seguridad America/ a representative of Global Sign. Our previous CA >>> was /Symantec Verisign/ represented by Cert Superior and we were >>> issued a certificate that supports SHA-1 and they failed to inform us >>> that this protocol had a deadline. >>> >>> We urgently need your consideration for the issuance of a certificate >>> that can support SHA-1. If not, we would be under serious risk of >>> losing operations in an estimated 13,000 POS terminals which operate >>> under our current "stand-alone" platform which would require >>> nationwide onsite visits for software upgrades and in some cases >>> hardware replacement which would need to undergo a purchasing process. >>> >>> Based on previous explanation, we request your consideration and your >>> assistance in this urgent matter. We would require 2 certificates that >>> support SHA-1 for the rest of calendar year 2016, while we continue >>> the acquisition and deployment of the terminals. We estimate that this >>> process would conclude by November. >>> >>> It's very critical for Banco Popular to get the certificates that >>> support SHA-1 in order to avoid important financial loss and affect >>> thousands of Customers that we serve. >>> >>> The expiration date of the two certificates of Production is May 22^nd >>> 2016. >>> >>> The domains of the certificates are: >>> >>> pos.azul.com.do >>> >>> pos2.azul.com.do >>> >>> We highly appreciate your consideration of this matter and thank you >>> in advance for any assistance you may be able to provide given that we >>> had no knowledge of this situation and therefore the scope of its impact. >>> >>> Our Best Regards >>> >>> */Sergio E. Solari A./* >>> >>> Technology Executive Vice president >>> >>> CIO >>> >>> - Este mensaje y sus anexos pueden contener información confidencial y >>> privilegiada con la intención de que sea utilizada por las personas u >>> organizaciones a quienes esta dirigida, por lo que su uso es exclusivo >>> para su destinatario. Si usted ha recibido este mensaje por error, >>> favor de eliminarlo e informar al remitente del mensaje a través de un >>> correo de respuesta. Si este es el caso, le notificamos que queda >>> estrictamente prohibida la distribución o reproducción de este e-mail y/o >>> sus >> anexos. >>> Grupo Popular no se hace responsable de las opiniones vertidas en esta >>> comunicación que no estén acordes con su quehacer y fines, y que no se >>> revistan de un carácter oficial. >>> >>> - This message and its enclosures may contain confidential and >>> privileged information intended for the use of people and >>> organizations to which it is directed and its use is thus limited to >>> its addressee. If you have received this message by mistake, please >>> eliminate it and inform the sender through a reply message. Should >>> this be the case, you are advised that the distribution or >>> reproduction of this e-mail and/or any attachments contained herein is >>> strictly forbidden. Grupo Popular is not liable for opinions expressed >>> in this message which may not coincide with its responsibilities and >>> purpose and which may not express official matters. >>> >>> Grupo Popular. >>> >>> >>> >>> _______________________________________________ >>> Public mailing list >>> [email protected] >>> https://cabforum.org/mailman/listinfo/public >>> >> >> -- >> Rob Stradling >> Senior Research & Development Scientist >> COMODO - Creating Trust Online >> Office Tel: +44.(0)1274.730505 >> Office Fax: +44.(0)1274.730909 >> www.comodo.com >> >> COMODO CA Limited, Registered in England No. 04058690 Registered Office: >> 3rd Floor, 26 Office Village, Exchange Quay, >> Trafford Road, Salford, Manchester M5 3EQ >> >> This e-mail and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are addressed. >> If you >> have received this email in error please notify the sender by replying to >> the e- >> mail containing this attachment. Replies to this email may be monitored by >> COMODO for operational or business reasons. Whilst every endeavour is taken >> to ensure that e-mails are free from viruses, no liability can be accepted >> and >> the recipient is requested to use their own virus checking software. > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
