Dean Coclin <[email protected]> writes: >According to WP, as part of the EMV program, they are aggressively rolling >out new devices to replace all old equipment in the field. They expect this >to be completed by the end of the year. They have already moved a large >number of devices to support SHA-2.
Wouldn't it be easier to issue their own certs (or roll out equipment which relies on WorldPay certs), at which point they could follow their own policies? Their problem is that their (inexplicable) use of a public CA for a private PKI has meant they're now being held hostage to the CAB forum's cert policy. I don't mean that in a negative sense, that policy is probably perfectly sensible for browser PKI, but it's not a good policy for a payment processor with huge amounts of fixed-function, non-upgradeable equipment deployed all over the planet. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
