Steve <[email protected]> writes: >They state no business case where the 9 payment gateways are accessible by >browsers or that any business case exists on the gateways that uses any >client other than the payment terminal.
So these things will never see access by a browser enforcing the SHA-1 restrictions? Where is the restriction coming from then, is it that the browser vendors have told the CAs (via the CAB Forum) they can't issue SHA-1 certs of any kind, even if they're only used in a private PKIs? I'd really like to get some comment from WorldPay on precisely what's going on here. It'd be a lot easier to sort out if we knew exactly what was happening, Rob Stradling posted a good base set of questions that need to be answered. If we knew more details it seems like there could be an easier solution than having to break the no-SHA1-any-more rule. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
