Re: SHA-1 exception First Data

On 16/12/16 17:55, Nick Lamb wrote: > So here we are, three months later, First Data are back, as predicted, asking > for another "exception". Those reading the CAB Forum list will note that Mozilla has declined to grant an additional exception. Gerv

Re: SHA-1 exception First Data

By the way Gerv, in your flurry of posts to CA/B Forum public you comment "If I were going to calculate a SHA-1 collision, the certificate of a machine handling tens or hundreds of thousands of credit cards a day would be a reasonably obvious target, ISTM." This would need a second pre-image

Re: SHA-1 exception First Data

On 06/10/16 06:46, Peter Bowen wrote: > I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to update, but that is great hindsight. We

Re: SHA-1 exception First Data

On 06/10/16 15:22, Jakob Bohm wrote: > Good, now communicate it. Companies should be talking to their CAs, who will offer this service if they have it. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: SHA-1 exception First Data

On 06/10/2016 15:58, Gervase Markham wrote: On 06/10/16 12:38, Jakob Bohm wrote: Which is why I have repeatedly suggested that maybe the rules should be changed to promote/demote some of the historic SHA-1 root certs into "SHA-1 forever" roots that can service older devices and browsers, even

Re: SHA-1 exception First Data

On 06/10/16 12:38, Jakob Bohm wrote: > Which is why I have repeatedly suggested that maybe the rules should be > changed to promote/demote some of the historic SHA-1 root certs into > "SHA-1 forever" roots that can service older devices and browsers, even > for regular websites concerned about

Re: SHA-1 exception First Data

On 06/10/2016 07:46, Peter Bowen wrote: On Wed, Oct 5, 2016 at 10:02 PM, Michael Ströder wrote: Dean Coclin wrote: First Data's customers don't use browsers so Firefox can disable SHA-1 tomorrow and not affect them. So why to have your CA certificate trusted in

Re: SHA-1 exception First Data

On Thu, Oct 06, 2016 at 08:22:20AM +0200, Hanno Böck wrote: > On Wed, 5 Oct 2016 22:46:24 -0700 > Peter Bowen wrote: > > > I think we can all look back with 20/20 hindsight and say that device > > vendors should not use the same roots as browsers and that maybe CAs > > should

Re: SHA-1 exception First Data

On Wed, 5 Oct 2016 22:46:24 -0700 Peter Bowen wrote: > I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to

Re: SHA-1 exception First Data

On Wed, Oct 5, 2016 at 10:02 PM, Michael Ströder wrote: > Dean Coclin wrote: >> First Data's customers don't use browsers so Firefox can disable SHA-1 >> tomorrow >> and not affect them. > > So why to have your CA certificate trusted in Firefox's cert DB? > >> First Data

Re: SHA-1 exception First Data

Dean Coclin wrote: > First Data's customers don't use browsers so Firefox can disable SHA-1 > tomorrow > and not affect them. So why to have your CA certificate trusted in Firefox's cert DB? > First Data has asked for a reasonable extension which doesn't affect browsers. If it does not "affect

Re: SHA-1 exception First Data

 Nick,First Data's customers don't use browsers so Firefox can disable SHA-1 tomorrow and not affect them. Remember, many of these "customers" are small businesses or non-profits. I think about places like a private school or church that whip out the terminal when it's time for the festival or

SHA-1 exception First Data

We had a thread about the TSYS application but not for First Data. Unlike with TSYS I don't see anything here that leaps out as problematic in the to-be-signed certificates but I do think the moral hazard problem is larger here than with TSYS and anyway bears revisiting. First Data say they