So here we are, three months later, First Data are back, as predicted, asking for another "exception".
First Data's original notice seeking the exception asserts that staging environments for these systems had SHA-256 certificates from November 2014 giving their VARs plenty of time to react. Actual documents released from First Data's Datawire to their vendors give a different story, saying that SHA-256 certificates will be on the staging environment stg.dw.us.fdcnet.biz (which corresponds to a production service prod.dw.us.fdcnet.biz in the exception request) from March 9, 2016. That's 16 months later, and well after the point where Symantec will have informed First Data that it was no longer possible to issue SHA-1 certificates. Worse, I have been unable to find any evidence that this change to the staging environment even went ahead as scheduled. The first SHA-256 certificate recorded for stg.dw.us.fdcnet.biz is instead dated June, 2016. https://crt.sh/?serial=71b81e959ac09d6c172e50abf849e3e5 This is 19 months after the claimed date, and their VARs now had only about 3 months left to test and validate new releases against SHA-256 certificates, then ship them as final production systems to all end users. Symantec forwarded the exception request. Did Dean or his co-workers take a moment to wonder what SHA-256 certificates First Data supposedly had in their staging environment in November 2014, since they were issuing SHA-1 certificates for those very machines just a few months before ? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
