Re: Re: Proposed limited exception to SHA-1 issuance

These have now been revoked in OneCRL: https://bugzilla.mozilla.org/show_bug.cgi?id=1252142 On Fri, Feb 26, 2016 at 4:14 PM, Dean Coclin wrote: > You beat me to it: > > Thesecertificate have been logged to our CT log server at > ct.ws.symantec.com,with these index

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, Feb 29, 2016 at 7:09 AM, Peter Gutmann wrote: > Jürgen Brauckmann writes: > >>Nice example from the consumer electronics world: Android >= 4.4 is quite >>resistant against private PKIs. You cannot import your own/your corporate >>private

Re: Proposed limited exception to SHA-1 issuance

On 27/02/16 23:50, David E. Ross wrote: > According to Softpedia, Mozilla is the only organization that agreed to > Symantec's request. Microsoft, Google, and others are holding firm on > rejecting SHA-1 certificates. See >

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, Feb 29, 2016 at 4:18 AM, Jürgen Brauckmann wrote: > Peter Gutmann schrieb: > >> Wouldn't it be easier to issue their own certs (or roll out equipment >> which >> relies on WorldPay certs), at which point they could follow their own >> policies? Their problem is

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

Peter Gutmann schrieb: Jürgen Brauckmann writes: http://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/ Ugh, yuck! So on the one hand we have numerous research papers showing that Android apps that blindly

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, 29 Feb 2016 10:18:01 +0100 Jürgen Brauckmann wrote: > Using private PKIs for such stuff isn't risk-free, as software > vendors are confused about the security properties of their root > store. Actually I also thought while reading this thread that I disagree that

RE: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

Jürgen Brauckmann writes: >Nice example from the consumer electronics world: Android >= 4.4 is quite >resistant against private PKIs. You cannot import your own/your corporate >private Root CAs for Openvpn- or Wifi access point security without getting >persistent, nasty,

Re: Proposed limited exception to SHA-1 issuance

On Sat, Feb 27, 2016 at 6:50 PM, David E. Ross wrote: > > According to Softpedia, Mozilla is the only organization that agreed to > Symantec's request. Microsoft, Google, and others are holding firm on > rejecting SHA-1 certificates. See > < >

Re: Proposed limited exception to SHA-1 issuance

On 2/23/2016 10:57 AM, Gervase Markham wrote [in part]: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been transitioning > to SHA-2 but due to an oversight have failed to do so in time for a > portion of their

Re: Re: Proposed limited exception to SHA-1 issuance

On Fri, Feb 26, 2016 at 08:32:34AM -0800, douglas.beat...@gmail.com wrote: > I hope the same courtesy is afforded to other high profile customers and > their CA should the need arise. Why should a requestor's profile come into it? Because they're in a better position to make trouble if their

Re: Re: Proposed limited exception to SHA-1 issuance

 You beat me to it:Thesecertificate have been logged to our CT log server at ct.ws.symantec.com,with these index numbers:236731236746236748236751236759236763236767 Dean Coclin  On 02/26/16, Andrew Ayer wrote: On Wed, 24 Feb 2016 16:11:38 -0800 (PST)rbar...@mozilla.com wrote:>

Re: Proposed limited exception to SHA-1 issuance

On Wed, 24 Feb 2016 16:11:38 -0800 (PST) rbar...@mozilla.com wrote: > 2. On issuance of any such certificate(s), the issuer MUST take the > following actions: 2.a. Submit the certificates to one or more > Certificate Transparency logs. (There is no requirement for the > certificates to contain a

Re: Re: Proposed limited exception to SHA-1 issuance

On Thursday, February 25, 2016 at 10:06:50 PM UTC-5, Peter Gutmann wrote: > Dean Coclin writes: I think Symantec and Mozilla are doing the right thing. Nobody is asking to extend the 1/1/2017 SHA-1 deprecation date. World Pay could have SHA-1 certificates that expire on 12/31/2016 if they

RE: Re: Proposed limited exception to SHA-1 issuance

Dean Coclin writes: >According to WP, as part of the EMV program, they are aggressively rolling >out new devices to replace all old equipment in the field. They expect this >to be completed by the end of the year. They have already moved a large >number of devices to

Re: Re: Proposed limited exception to SHA-1 issuance

What CA(s) would Symantec use as the issuer for the certificates?The same one they've been using and know works: VeriSign Class 3 International Server CA - G3.>>Dean, are you sure about that? Rob-Yes I am. I am sure that we will be using that CA to satisfy this request because we know it works.

Re: Proposed limited exception to SHA-1 issuance

Gervase Markham wrote: > On 23/02/16 18:57, Gervase Markham wrote: > > Mozilla and other browsers have been approached by Worldpay, a large > > payment processor, via Symantec, their CA. They have been transitioning > > to SHA-2 but due to an oversight have failed to do so in

Re: Proposed limited exception to SHA-1 issuance

On 23/02/16 18:57, Gervase Markham wrote: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been transitioning > to SHA-2 but due to an oversight have failed to do so in time for a > portion of their infrastructure, and

Re: Proposed limited exception to SHA-1 issuance

On 25/02/16 00:11, rbar...@mozilla.com wrote: Hey all, Thanks to everyone for the robust discussion here. Gerv, Kathleen and I have discussed and decided that Mozilla will allow a qualification due to issuance of SHA-1 certificates, subject to the following conditions: Do we know if the

Re: Proposed limited exception to SHA-1 issuance

For each of the 7 servers that I can reach, "Class 3 Public Primary Certification Authority" is the issuer of the final cert in the chain. What proportion of the WorldPay terminals trust the (yanked) "Class 3 Public Primary Certification Authority" root? Is this the ~90%? If so, then the

Re: Proposed limited exception to SHA-1 issuance

On Wed, Feb 24, 2016 at 7:55 PM, Peter Gutmann wrote: > rbar...@mozilla.com writes: > > >While we are disappointed that a critical part of the Internet > >infrastructure is holding back an increase in security, we believe that > >this allowance

RE: Re: Re: Proposed limited exception to SHA-1 issuance

Dean Coclin writes: >The same one they've been using and know works: VeriSign Class 3 >International Server CA - G3. So the devices will trust any cert from this CA? This is a serious question, a contractor once got into USG infrastructure with a $20 or so cert

Re: Proposed limited exception to SHA-1 issuance

Hey all, Thanks to everyone for the robust discussion here. Gerv, Kathleen and I have discussed and decided that Mozilla will allow a qualification due to issuance of SHA-1 certificates, subject to the following conditions: 1. SHA-1 certificates MUST NOT be issued for any name other than the

Re: Re: Proposed limited exception to SHA-1 issuance

This is Dean from Symantec (same Dean as the CA/B Forum Chair but I'm leaving that hat off right now). I'd like to answer some questions about this situation on which I agree is less than ideal.First off, as Gerv mentioned, many device manufacturers erroneously embedded public roots in their

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 14:40, Gervase Markham wrote: Hi Rob, These are extremely good questions. I have some of the answers. On 24/02/16 10:16, Rob Stradling wrote: Gerv, I would really like to see more technical details about the PKI software in WorldPay's terminals before offering an opinion on

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 19:27, Jeremy Rowley wrote: > I believe the concern is that Worldpay is asking for an exception by saying, > "We've tried 'things' and they didn't work - can we please have a SHA1 > cert?" We don't know what these 'things' they've tried are or whether there > is an alternative. Lots of

RE: Proposed limited exception to SHA-1 issuance

ozilla-dev-security-pol...@lists.mozilla.org Cc: Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance Given OCSP support in the terminal software, this isn't likely to be archaic firmware open to ignoring criticality. Since money is flowing here, audits would scre

Re: Proposed limited exception to SHA-1 issuance

On Wed, 24 Feb 2016 14:58:37 + Gervase Markham wrote: > > They had ample opportunity to avoid a crisis. It is not > > Mozilla's responsibility to dig them out of the hole they have dug > > for themselves, > > It is not our responsibility; on the other hand, the damage

Re: Proposed limited exception to SHA-1 issuance

On Tuesday, February 23, 2016 at 6:58:19 PM UTC, Gervase Markham wrote: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been transitioning > to SHA-2 but due to an oversight have failed to do so in time for a > portion

RE: Proposed limited exception to SHA-1 issuance

...@mozilla.org] Sent: Wednesday, February 24, 2016 9:11 AM To: Jeremy Rowley; Rob Stradling; mozilla-dev-security-pol...@lists.mozilla.org Cc: Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance On 24/02/16 15:45, Jeremy Rowley wrote: > I think Rob's questi

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 16:03, Eric Mill wrote: > Clearly, Mozilla is making a value judgment that this SHA-1 exception is > more merited than other public and private requests for exceptions. It > doesn't sound like Mozilla is potentially supporting this exception based > on a calculation of economic impact,

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 15:45, Jeremy Rowley wrote: > I think Rob's questions are great and should be answered before deciding. > Many CAs have roots and can issue certs that browsers will simply reject. > There may be a simple way to provide them certs without issuing a ton of > SHA1s that are placed on

Re: Proposed limited exception to SHA-1 issuance

On Wed, Feb 24, 2016 at 9:31 AM, Gervase Markham wrote: > On 24/02/16 02:26, Eric Mill wrote: > > It would also be worth learning what segment of the market these 10,000 > > terminals would affect. I've seen these terminals before: > > > > >

RE: Proposed limited exception to SHA-1 issuance

Gutmann Cc: Gervase Markham; mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance Their path to avoid disruption to consumers on Sunday is the 9 gateways, not the 10,000+ terminals. Pushing firmware to devices

RE: Proposed limited exception to SHA-1 issuance

exception to SHA-1 issuance On 23/02/16 18:57, Gervase Markham wrote: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been > transitioning to SHA-2 but due to an oversight have failed to do so in > time f

Re: Proposed limited exception to SHA-1 issuance

On 23/02/16 20:05, Andrew Ayer wrote: > Multiple mistakes were made by Worldpay (using public roots, leaving > the transition to the last minute, and then forgetting to renew before > the sunset) and Symantec (failing to make sure their customer was > prepared). I think it's unreasonable to blame

Re: Proposed limited exception to SHA-1 issuance

Given OCSP support in the terminal software, this isn't likely to be archaic firmware open to ignoring criticality. Since money is flowing here, audits would scream at even older hash options or intentional defect exploitation. >From experience securing an application that moved 30% of all cash

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 02:38, Peter Gutmann wrote: > I'm curious about what's going on here, as you say this is a private PKI, so > why do they need certs from a public CA? Presumably Worldpay is doing this > for B2B comms, so why don't they issue their own certs, and they can keep > using SHA-1 for as long

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 02:26, Eric Mill wrote: > It would also be worth learning what segment of the market these 10,000 > terminals would affect. I've seen these terminals before: > >

RE: Proposed limited exception to SHA-1 issuance

Steve writes: >They state no business case where the 9 payment gateways are accessible by >browsers or that any business case exists on the gateways that uses any >client other than the payment terminal. So these things will never see access by a browser enforcing the

Re: Proposed limited exception to SHA-1 issuance

Just as important as browser users are the people who rely on payment terminals to enjoy their daily life. Here, the affected customer states no intent to put these certificates into browser accessible space. They state no business case where the 9 payment gateways are accessible by browsers or

Re: Proposed limited exception to SHA-1 issuance

On 24/02/16 10:20, Peter Gutmann wrote: Rob Stradling writes: But if it's an old version of NSS or OpenSSL, then the community could help find an exploitable bug. If it's a remote-code-exec we could patch their firmware for them to support SHA-256. Think of it as

RE: Proposed limited exception to SHA-1 issuance

Rob Stradling writes: >But if it's an old version of NSS or OpenSSL, then the community could help >find an exploitable bug. If it's a remote-code-exec we could patch their firmware for them to support SHA-256. Think of it as an undocumented remote admin capability.

Re: Proposed limited exception to SHA-1 issuance

On 23/02/16 18:57, Gervase Markham wrote: Mozilla and other browsers have been approached by Worldpay, a large payment processor, via Symantec, their CA. They have been transitioning to SHA-2 but due to an oversight have failed to do so in time for a portion of their infrastructure, and failed

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 6:26 PM, Eric Mill wrote: > On Tue, Feb 23, 2016 at 1:57 PM, Gervase Markham wrote: > >> >> Our proposal, which we have sent to Symantec, Worldpay and the other >> browsers, is as follows: >> > > Thank you for bringing this to the

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 9:38 PM, Peter Gutmann wrote: > Gervase Markham writes: > > >Mozilla is very keen to see SHA-1 eliminated, but understands that for > >historical reasons poor decisions were made in private PKIs about which > roots > >to

RE: Proposed limited exception to SHA-1 issuance

Gervase Markham writes: >Mozilla is very keen to see SHA-1 eliminated, but understands that for >historical reasons poor decisions were made in private PKIs about which roots >to trust, and such decisions are not easily remedied. I'm curious about what's going on here, as you

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 1:57 PM, Gervase Markham wrote: > > Our proposal, which we have sent to Symantec, Worldpay and the other > browsers, is as follows: > Thank you for bringing this to the list for public input, even with a tight timeline and under immense pressure. It

Re: Proposed limited exception to SHA-1 issuance

Large quantities of SHA-1 certificates were issued in the weeks prior to the deadline as operators of systems not intended for primarily browser based consumption maximized their remaining compliant lifespan, Embedded physical deployment of devices that are not updated at browser speed runs the

Re: Proposed limited exception to SHA-1 issuance

On Tuesday, February 23, 2016 at 10:58:19 AM UTC-8, Gervase Markham wrote: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been transitioning > to SHA-2 but due to an oversight have failed to do so in time for a >

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 12:05 PM, Andrew Ayer wrote: > On Tue, 23 Feb 2016 18:57:41 + > Gervase Markham wrote: > > > Please comment on whether this proposal seems reasonable, being aware > > of the short timelines involved. > > I am opposed. There is

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 1:47 PM, Andrew Ayer wrote: > On Tue, 23 Feb 2016 13:12:27 -0800 > Yuhong Bao wrote: > > > If OneCRL always used the same hash algorithm as the certificate, > > then any colliding certificate would also be treated as

Re: Proposed limited exception to SHA-1 issuance

On Tue, Feb 23, 2016 at 1:44 PM, Charles Reiss wrote: > On 02/23/16 18:57, Gervase Markham wrote: > [snip] > > Symantec may issue certificates to Worldpay if the following things are > > true: > > Based on what's happened with MD5 certificates, it seems the main risk > of

Re: Proposed limited exception to SHA-1 issuance

On Tuesday, February 23, 2016 at 10:58:19 AM UTC-8, Gervase Markham wrote: > Mozilla and other browsers have been approached by Worldpay, a large > payment processor, via Symantec, their CA. They have been transitioning > to SHA-2 but due to an oversight have failed to do so in time for a >

Re: Proposed limited exception to SHA-1 issuance

On 02/23/16 18:57, Gervase Markham wrote: [snip] > Symantec may issue certificates to Worldpay if the following things are > true: Based on what's happened with MD5 certificates, it seems the main risk of harm comes from something like a chosen-prefix collision attack using a specially

Re: Proposed limited exception to SHA-1 issuance

On Tue, 23 Feb 2016 18:57:41 + Gervase Markham wrote: > Please comment on whether this proposal seems reasonable, being aware > of the short timelines involved. I am opposed. There is no telling how many other organizations are in a similar situation due to poor planning