Sent from my iPhone. Please excuse brevity. On Feb 25, 2016, at 13:34, Dean Coclin <[email protected]> wrote:
Richard, According to WP, as part of the EMV program, they are aggressively rolling out new devices to replace all old equipment in the field. They expect this to be completed by the end of the year. Thanks for the additional data. I understand that there are shipping companies that can deliver even tens of thousands of devices in less than a year, even less than a month :) I'm being glib, but I do hope that WP will execute this transition with all deliberate speed. The renewal discussions will not get easier as time goes by. You can see that this group is already pretty grumpy. --Richard They have already moved a large number of devices to support SHA-2. Again, per my previous post, the existing equipment are not "Worldpay terminals", rather equipment from many different suppliers, with various combinations of software/firmware. I'm not trying to justify it, just presenting the data. Dean On 02/25/16, Richard Barnes<[email protected]> wrote: On Wed, Feb 24, 2016 at 7:55 PM, Peter Gutmann <[email protected]> wrote: > [email protected] <[email protected]> writes: > > >While we are disappointed that a critical part of the Internet > >infrastructure is holding back an increase in security, we believe that > >this allowance strikes an acceptable compromise between minimizing > >disruption and risk and encouraging migration away from SHA-1 as fast as > >possible. > > I'd still really like to know the details of what happened here. As I've > pointed out to others off-list, it's not to assign blame but to learn from > it so that others won't make the same mistake in similar situations in the > future. > I would as well, and I would also be interested in what Worldpay is doing to migrate to SHA-2. Hopefully they or Symantec can comment here. --Richard _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
