Re: Re: Proposed limited exception to SHA-1 issuance

2016-03-01 Thread Richard Barnes
These have now been revoked in OneCRL: https://bugzilla.mozilla.org/show_bug.cgi?id=1252142 On Fri, Feb 26, 2016 at 4:14 PM, Dean Coclin wrote: > You beat me to it: > > Thesecertificate have been logged to our CT log server at > ct.ws.symantec.com,with these index numbers: > > 236731 > > 23674

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-27 Thread Matt Palmer
On Fri, Feb 26, 2016 at 08:32:34AM -0800, douglas.beat...@gmail.com wrote: > I hope the same courtesy is afforded to other high profile customers and > their CA should the need arise. Why should a requestor's profile come into it? Because they're in a better position to make trouble if their requ

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-27 Thread deanjc18
On Thursday, February 25, 2016 at 10:06:50 PM UTC-5, Peter Gutmann wrote: > Dean Coclin writes: > > >According to WP, as part of the EMV program, they are aggressively rolling > >out new devices to replace all old equipment in the field. They expect this > >to be completed by the end of the year.

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-26 Thread Dean Coclin
 You beat me to it:Thesecertificate have been logged to our CT log server at ct.ws.symantec.com,with these index numbers:236731236746236748236751236759236763236767 Dean Coclin  On 02/26/16, Andrew Ayer wrote: On Wed, 24 Feb 2016 16:11:38 -0800 (PST)rbar...@mozilla.com wrote:> 2. On issuance of any

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-26 Thread Richard Barnes
On Fri, Feb 26, 2016 at 11:32 AM, wrote: > On Thursday, February 25, 2016 at 10:06:50 PM UTC-5, Peter Gutmann wrote: > > Dean Coclin writes: > > I think Symantec and Mozilla are doing the right thing. Nobody is asking > to extend the 1/1/2017 SHA-1 deprecation date. World Pay could have SHA-1

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-26 Thread douglas . beattie
On Thursday, February 25, 2016 at 10:06:50 PM UTC-5, Peter Gutmann wrote: > Dean Coclin writes: I think Symantec and Mozilla are doing the right thing. Nobody is asking to extend the 1/1/2017 SHA-1 deprecation date. World Pay could have SHA-1 certificates that expire on 12/31/2016 if they had

RE: Re: Proposed limited exception to SHA-1 issuance

2016-02-25 Thread Peter Gutmann
Dean Coclin writes: >According to WP, as part of the EMV program, they are aggressively rolling >out new devices to replace all old equipment in the field. They expect this >to be completed by the end of the year. They have already moved a large >number of devices to support SHA-2. Wouldn't it b

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-25 Thread Dean Coclin
What CA(s) would Symantec use as the issuer for the certificates?The same one they've been using and know works: VeriSign Class 3 International Server CA - G3.>>Dean, are you sure about that? Rob-Yes I am. I am sure that we will be using that CA to satisfy this request because we know it works. You

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-25 Thread Dean Coclin
Richard,According to WP, as part of the EMV program, they are aggressively rolling out new devices to replace all old equipment in the field. They expect this to be completed by the end of the year. They have already moved a large number of devices to support SHA-2.Again, per my previous post, the

RE: Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-24 Thread Peter Gutmann
Dean Coclin writes: >The same one they've been using and know works: VeriSign Class 3 >International Server CA - G3. So the devices will trust any cert from this CA? This is a serious question, a contractor once got into USG infrastructure with a $20 or so cert because they'd done the same th

Re: Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-24 Thread Dean Coclin
Peter,The same one they've been using and know works: VeriSign Class 3 International Server CA - G3. Dean On 02/24/16, Peter Bowen wrote: Dean as Symantec,What CA(s) would Symantec use as the issuer for the certificates?Thanks,PeterOn Feb 24, 2016 12:52 PM, "Dean Coclin"

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-24 Thread Peter Bowen
Dean as Symantec, What CA(s) would Symantec use as the issuer for the certificates? Thanks, Peter On Feb 24, 2016 12:52 PM, "Dean Coclin" wrote: > This is Dean from Symantec (same Dean as the CA/B Forum Chair but I'm > leaving that hat off right now). I'd like to answer some questions about > t

Re: Re: Proposed limited exception to SHA-1 issuance

2016-02-24 Thread Dean Coclin
This is Dean from Symantec (same Dean as the CA/B Forum Chair but I'm leaving that hat off right now). I'd like to answer some questions about this situation on which I agree is less than ideal.First off, as Gerv mentioned, many device manufacturers erroneously embedded public roots in their device