Mozilla and other browsers have been approached by Worldpay, a large
payment processor, via Symantec, their CA. They have been transitioning
to SHA-2 but due to an oversight have failed to do so in time for a
portion of their infrastructure, and failed to renew some SHA-1 server
certificates before
On Tue, 23 Feb 2016 18:57:41 +
Gervase Markham wrote:
> Please comment on whether this proposal seems reasonable, being aware
> of the short timelines involved.
I am opposed. There is no telling how many other organizations are in a
similar situation due to poor planning or "oversights" on t
> On Tue, 23 Feb 2016 18:57:41 +
> Gervase Markham wrote:
>
>> Please comment on whether this proposal seems reasonable, being aware
>> of the short timelines involved.
>
> I am opposed. There is no telling how many other organizations are in a
> similar situation due to poor planning or "over
On 02/23/16 18:57, Gervase Markham wrote:
[snip]
> Symantec may issue certificates to Worldpay if the following things are
> true:
Based on what's happened with MD5 certificates, it seems the main risk
of harm comes from something like a chosen-prefix collision attack using
a specially constructed
On Tue, 23 Feb 2016 13:12:27 -0800
Yuhong Bao wrote:
> If OneCRL always used the same hash algorithm as the certificate,
> then any colliding certificate would also be treated as revoked.
OneCRL would need to use the hash of the TBS, not the certificate. The
TBS is what's collided, but once the
On 2/23/2016 10:57 AM, Gervase Markham wrote:
> Mozilla and other browsers have been approached by Worldpay, a large
> payment processor, via Symantec, their CA. They have been transitioning
> to SHA-2 but due to an oversight have failed to do so in time for a
> portion of their infrastructure, and
On Tuesday, February 23, 2016 at 10:58:19 AM UTC-8, Gervase Markham wrote:
> Mozilla and other browsers have been approached by Worldpay, a large
> payment processor, via Symantec, their CA. They have been transitioning
> to SHA-2 but due to an oversight have failed to do so in time for a
> portion
On Tue, Feb 23, 2016 at 1:44 PM, Charles Reiss wrote:
> On 02/23/16 18:57, Gervase Markham wrote:
> [snip]
> > Symantec may issue certificates to Worldpay if the following things are
> > true:
>
> Based on what's happened with MD5 certificates, it seems the main risk
> of harm comes from somethin
On Tue, Feb 23, 2016 at 1:47 PM, Andrew Ayer wrote:
> On Tue, 23 Feb 2016 13:12:27 -0800
> Yuhong Bao wrote:
>
> > If OneCRL always used the same hash algorithm as the certificate,
> > then any colliding certificate would also be treated as revoked.
>
> OneCRL would need to use the hash of the T
On Tue, Feb 23, 2016 at 1:55 PM, David E. Ross
wrote:
> On 2/23/2016 10:57 AM, Gervase Markham wrote:
> > Mozilla and other browsers have been approached by Worldpay, a large
> > payment processor, via Symantec, their CA. They have been transitioning
> > to SHA-2 but due to an oversight have fail
On Tue, Feb 23, 2016 at 12:05 PM, Andrew Ayer wrote:
> On Tue, 23 Feb 2016 18:57:41 +
> Gervase Markham wrote:
>
> > Please comment on whether this proposal seems reasonable, being aware
> > of the short timelines involved.
>
> I am opposed. There is no telling how many other organizations a
On Tuesday, February 23, 2016 at 10:58:19 AM UTC-8, Gervase Markham wrote:
> Mozilla and other browsers have been approached by Worldpay, a large
> payment processor, via Symantec, their CA. They have been transitioning
> to SHA-2 but due to an oversight have failed to do so in time for a
> portion
Large quantities of SHA-1 certificates were issued in the weeks prior to
the deadline as operators of systems not intended for primarily browser
based consumption maximized their remaining compliant lifespan, Embedded
physical deployment of devices that are not updated at browser speed runs
the gam
On Tue, Feb 23, 2016 at 1:57 PM, Gervase Markham wrote:
>
> Our proposal, which we have sent to Symantec, Worldpay and the other
> browsers, is as follows:
>
Thank you for bringing this to the list for public input, even with a tight
timeline and under immense pressure. It really speaks to how s
Gervase Markham writes:
>Mozilla is very keen to see SHA-1 eliminated, but understands that for
>historical reasons poor decisions were made in private PKIs about which roots
>to trust, and such decisions are not easily remedied.
I'm curious about what's going on here, as you say this is a priva
On Tue, Feb 23, 2016 at 9:38 PM, Peter Gutmann
wrote:
> Gervase Markham writes:
>
> >Mozilla is very keen to see SHA-1 eliminated, but understands that for
> >historical reasons poor decisions were made in private PKIs about which
> roots
> >to trust, and such decisions are not easily remedied.
On Tue, Feb 23, 2016 at 6:26 PM, Eric Mill wrote:
> On Tue, Feb 23, 2016 at 1:57 PM, Gervase Markham wrote:
>
>>
>> Our proposal, which we have sent to Symantec, Worldpay and the other
>> browsers, is as follows:
>>
>
> Thank you for bringing this to the list for public input, even with a
> tigh
On 22/2/2016 6:52 μμ, Peter Kurrasch wrote:
Hi Dimitris,
You certainly echo the sentiment of others in this forum by directing
me to the CABF but my concerns are particular to HARICA at this point.
Simply put, the CABF BR has security gaps in section 3.2.2.4 which can
result in certificate m
18 matches
Mail list logo
