Although I had conversations with some folks over the meeting break today, I'm going to post my request here to follow the procedure on the public list.
It's become abundantly clear that further attempts to get approval from 2 of the 4 browsers for a date beyond December 31st isn't going to result in the requested change. So let me switch gears and discuss what's been approved by Mozilla and Google on the public list so far. Approval has been granted for issuance of the requested First Data certs (from the TBS certs generated for review) with the only difference being the expiration dates. However, this will require generating new TBS certs for another approval. As the group knows, First Data's certificate expires on Oct 27th. They can't wait until that day to install (for obvious reasons of testing, and insuring no problems with the certs or their installation that would affect 300K merchants) and they have scheduled an installation window later this week. We don't really have time to generate new TBS certs with the approved expiration dates and submit them for cryptanalysis testing (per the procedure). I would like to suggest an alternative approach for consideration by the browsers: Given that the current TBS certs have passed cryptanalysis, could you allow the issuance of the TBS certs as presented, and mandate that the CA revoke those certs on 12/31 (or the next business day). This is an auditable event and browsers can push that revocation out to their clients via their own methods. I believe this meets the intent of the affected browsers by protecting their users after that date. It also avoids disruption to First Data clients on October 27th. I ask that this compromise suggestion be given fair consideration in light of the tight timing. Thank you, Dean Coclin Symantec -----Original Message----- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, October 18, 2016 2:00 PM To: Dean Coclin <dean_coc...@symantec.com>; CABFPub <email@example.com> Cc: Halliday, Morgan <morgan.halli...@firstdata.com>; Sidoriak, Evan S <evan.sidor...@firstdata.com> Subject: Re: [cabfpub] SHA-1 exception request Hi Dean, We discussed this this morning, but this draft was half-written, so: On 13/10/16 21:58, Dean Coclin wrote: > Thank you for the prompt response to First Data's application. While > we appreciate the approval and await responses from other browsers, > I'd like to point out that this deadline doesn't really help First > Data and the merchants much. It gives them up to an extra two months to fix things, if they want it. If having everything break on 31st December is a problem, First Data always have the option of permanently upgrading their infrastructure to SHA-2 on a more convenient date earlier than that. They have control over when they stop using SHA-1. So it's wrong to characterise this as a "December 31st cutoff". > First Data requested an expiration in March and while I understand > Mozilla's reluctance to approve a date that late, I was hoping they > would at least receive equal treatment as TSYS with a February 9th > expiration. TSYS was a bit unfortunate - not sure how that happened. I seem to remember I was moving house at the time, and conditioned my acceptance on Google's acceptance. I want to be consistent, and now I'm faced with the choice of being consistent with policy or with precedent. Having weighed this up, the moral hazard argument is most weighty. Other companies have bust a gut to get this done by the end of the year. And it would be ridiculous that, come 1st January, my blog would be required to have better security in order to work than a merchant handling my credit card. Gerv
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public