On 12/10/16 16:50, Dean Coclin wrote: > [First Data] Yes. First Data requires POS vendors to certify to our > API’s which detail the signature algorithms that are supported and > also detail which ROOT CA’s must be used.
Is this documentation available? Which root CA(s) are on the list? > [First Data] We have multiple roots available to fall back to, > however each of them would require us to use this SHA-1 procedure > because all of the 300,000 devices require a SHA-1 end entity > certificate. And as it happens, none of them are in the set of roots that CAs have pulled from browser root stores so they can continue SHA-1 issuance? > As was pointed out in a previous application the risk is at issuance > and is not affected by validity period. See link: > https://cabforum.org/pipermail/public/2016-July/008007.html Nevertheless, the SHA-1 deprecation process, as outlined in the BRs, does not allow unlimited validity. Mozilla is considering our response internally; we hope to have an answer for you soon. Gerv _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public