On 13/10/16 14:16, Dean Coclin wrote:
> [First Data] Yes. We send them directly to integrators. They are
> not published on a website. At the point a device vendor certifies
> to our network we currently specify one Root which is the VeriSign
> G5. With the emergence of 2048bit certs, we established a policy of
> specifying a single Root.
I would gently suggest that this is a single point of failure for your
entire network, and it would be wiser to specify at least two roots,
operated by different CAs.
In fact, given that space to store roots is cheap even in the tiniest
embedded devices, why not two roots by each of two companies?
Public mailing list