Hi Dean, On 29/09/16 19:52, Dean Coclin wrote: > In accordance with the SHA-1 Exception Request procedure, we hereby submit > the attached request on behalf of our client.
I've been considering this application, with reference to https://github.com/awhalley/docs-for-comment/blob/master/SHA1RequestProcedure.MD , which I believe is the latest version. * The answer to question 3 is not complete, in that it does not explain whether alternative measures such as issuing from a pulled root have been tried and if so, what the outcome was, and if not, why not. * It seems pretty amazing that, given that this company was not unaware of the relevant deadlines, that they only bothered in August 2016 to check and see how effective their attempts at getting the ecosystem to upgrade were. * This seems not to be a case of "we didn't know" or "we weren't told" by First Data, but a case of "we were told but we didn't listen" by First Data's community of software vendors, VARs and gateway providers. This makes me less sympathetic - either these companies have failed to communicate to their customers the importance of the impending deadline, or the customers have simply ignored the communications. And they have no-one to blame but themselves. * Do the proposed certificates "correspond to an Existing Certificate..." as outlined in the section "Existing Certificate Information" in the procedure doc? If they do, can crt.sh links be provided for the existing certificates? If not, is that because matching certs existed but were not logged, or because other changes have been made? If the latter, can it be explained why the additional changes to the certificate contents are needed? In general, it seems that while the answers to the initial questions have been provided, the data requested by this section has not. * The procedure doc says that validity of exceptional certificates may not extend beyond 31st December 2016. First Data is asking for 15th March 2017, which is impermissible as the doc stands. (The CAB Forum has regularly had discussions about how the end of a calendar year is a bad time for deadlines; however, in this case, the actual deadline was a year ago, so I don't think this complaint can be made in this case.) * Given that above, I wonder whether, if the only way to make the affected retailers pay attention is if their devices actually stop working, it's best for that to happen in October/November rather than on December 31st, in the middle of the Christmas period. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
