Technically, Worldpay had a lot longer than four days to figure this out.... It's not like SHA1 issues jumped out from a behind a bush to scare everyone.
I believe the concern is that Worldpay is asking for an exception by saying, "We've tried 'things' and they didn't work - can we please have a SHA1 cert?" We don't know what these 'things' they've tried are or whether there is an alternative. Lots of customers have asked for SHA1 certs on the premises that they need them because of old devices. Is this one special? Perhaps, but the alternatives should first be considered. When creating OneCRL, Mozilla expressed concerns about the potential size of the CRL if end entity certs were included. Now, they are being asked to include 10,000 end-entity certs in OneCRL (which are not even revoked). This is contrary to their previous policy decision to keep OneCRL small. 10k certs isn't big. 10k certs for ONE customer is significant. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Steve Sent: Wednesday, February 24, 2016 7:43 AM To: Gervase Markham; Eric Mill; mozilla-dev-security-pol...@lists.mozilla.org Cc: Kathleen Wilson; Richard Barnes Subject: Re: Proposed limited exception to SHA-1 issuance Given OCSP support in the terminal software, this isn't likely to be archaic firmware open to ignoring criticality. Since money is flowing here, audits would scream at even older hash options or intentional defect exploitation. >From experience securing an application that moved 30% of all cash that changed hands in a business day, I can state that no financial services company of this scale will expose their network to an untested certificate chain. Four days are not enough time to test alternate chains or certificate designs. Kind regards, Steve _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy