On Thu, 27 Sep 2018 14:52:27 +0000 Tim Hollebeek via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> My personal impression is that by the time they are brought up here, > far too many issues have easily predicted and pre-determined outcomes. It is probably true that many issues have predictable outcomes but I think predictability is on the whole desirable. Are there in fact CA representatives who'd rather they had no idea how Mozilla would react when there's an issue? > I know most of the security and key management people for the payment > industry very well [1], and they're good people. I mean this not sarcastically at all, but almost everybody is "good people". That's just not enough. I would like to think that I'm "good people" and yet it certainly would not be a good idea for the Mozilla CA root trust programme to trust some CA root I have on this PC. > I attempted to speak up a few times in various fora but it was pretty > clear that anything that wasn't security posturing wasn't going to be > listened to, and finding a practical solution was not on the agenda. > It was pretty clear sitting in the room that certain persons had > already made up their minds before they even understood what a > payment terminal was, how they are managed, and what the costs and > risks were for each potential alternative. If we're being frank, my impression is that First Data lied in their submission to us and if it came solely to my discretion that would be enough to have justified telling them "No" on its own the first time. Here's what they wrote to us: "In Nov. 2014 Datawire added SHA-2 certificates to our staging and support environments." And here's what they'd told their customers about one of those staging environments as late as September 2015: "Datawire will update to SHA-256 support on March 9, 2016 on the following url: stg.dw.us.fdcnet.biz (staging)" and yet when Symantec did create a SHA-256 certificate for stg.dw.us.fdcnet.biz it wasn't in November 2014, or on March 9, 2016, it was dated 10 June 2016. OK, well, maybe it was just stg.dw.us.fdcnet.biz right? Let's try one of their support sites, support.datawire.net. That finally received a SHA-256 certificate in September 2016 almost two years after Datawire told us it had happened, in fact, it was just barely before Symantec forwarded us their request for an exception. Rather than almost two _years_ their customers actually had two _days_ for this change before First Data put an onion in their pocket and came to tell us about how hard they'd tried... [support.datawire.net still exists at time of writing but is scheduled to expire in the next few hours] As to understanding what a payment terminal is, how about "The cheapest possible device that passes the bare minimum of tests to scrape through" ? Is that a good characterisation? Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
