On Thursday, February 25, 2016 at 10:06:50 PM UTC-5, Peter Gutmann wrote: > Dean Coclin <[email protected]> writes: > > >According to WP, as part of the EMV program, they are aggressively rolling > >out new devices to replace all old equipment in the field. They expect this > >to be completed by the end of the year. They have already moved a large > >number of devices to support SHA-2. > > Wouldn't it be easier to issue their own certs (or roll out equipment which > relies on WorldPay certs), at which point they could follow their own > policies? Their problem is that their (inexplicable) use of a public CA for a > private PKI has meant they're now being held hostage to the CAB forum's cert > policy. I don't mean that in a negative sense, that policy is probably > perfectly sensible for browser PKI, but it's not a good policy for a payment > processor with huge amounts of fixed-function, non-upgradeable equipment > deployed all over the planet. > > Peter.
Good points Peter. Here's some more background: Their use of a public CA might seem "inexplicable" in 2016, but remember, these devices were developed and deployed a decade or more ago, even before the CA/Browser Forum was formed. The developers knew that the devices needed to talk back to a web server, and lots of CAs sold certificates for web servers. So they downloaded some roots and embedded them into the devices. In most cases, this was done without the CA's knowledge. The alternative would have been to run their own PKI and sign their own certificates, but that's pretty tricky to do in an environment with multiple vendors that may not fully trust each other. So they let the CAs be the trusted third parties and manage the PKI. A decade ago, no one knew that a CA/Browser Forum would emerge to govern these roots and impose policy restrictions that would affect payment terminals and other non-browser clients. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
