Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Gervase Markham via Public
On 13/10/16 14:16, Dean Coclin wrote: > [First Data] Yes. We send them directly to integrators. They are > not published on a website. At the point a device vendor certifies > to our network we currently specify one Root which is the VeriSign > G5. With the emergence of 2048bit certs, we

[cabfpub] FW: Revised Final Sept. 15 Minutes

2016-10-13 Thread Dean Coclin via Public
Although these minutes were approved, some issues were noted after approval. Those corrections are included in this approved version. Final Minutes September 15, 2016 (v2, revised 9/29/2016) Attendees: Alex Wight (Cisco), Arno Fiedler (D-Trust), Atsushi Inaba (Globalsign), Ben Wilson

Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Gervase Markham via Public
On 29/09/16 19:52, Dean Coclin wrote: > In accordance with the SHA-1 Exception Request procedure, we hereby submit > the attached request on behalf of our client. After consideration, Mozilla grants an exception for the issuance of SHA-1 certificates, with the condition that they expire not

[cabfpub] Final minutes of CA/B Forum call September 29th 2016

2016-10-13 Thread Dean Coclin via Public
Draft Minutes September 29, 2016 Attendees: Andrew Whalley (Google), Anuj Saxena (Network Solutions), Arno Fiedler (D-Trust), Atsushi Inaba (Globalsign), Ben Wilson (Digicert), Billy VanCannon (Trustwave), Bruce Morton (Entrust), Connie Enke (SwissSign), Curt Spann (Apple), Dean Coclin

Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Dean Coclin via Public
Gerv, Thank you for the prompt response to First Data's application. While we appreciate the approval and await responses from other browsers, I'd like to point out that this deadline doesn't really help First Data and the merchants much. As discussed during the TSYS exception in July, the

Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Dean Coclin via Public
Additional commentary from First Data about the December cutoff date: • Dec. 31st falls on the first weekend after Christmas this year which is the peak time for gift returns and exchanges. • Gift card redemptions are also at their peak this weekend • New Year’s Day is a

Re: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain

2016-10-13 Thread Rick Andrews via Public
Kirk, in my years with VeriSign and Symantec, I also can’t recall a domain owner asking for more info about a cert that we had issued, but a) The request probably would not have come to or through me b) It’s a lot more likely to happen today because of CT The first example you

Re: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain

2016-10-13 Thread Kirk Hall via Public
Fair enough – we can all file away Peter’s list for future use. But in my mind, the second example is equivalent to a Certificate Problem Report that is requesting revocation, and I think each CA can develop its own methods for how to handle that – I don’t think we need mandatory provisions in

Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Mehner, Carl via Public
> Or do you have some requirements, e.g. PCI compliance? > > [First Data] Yes there are PCI requirements that must be met. As pointed out > by Peter Bowen, those requirements have not yet prohibited SHA-1 > certificates. I think that's a miscategorization of what Peter said. He was simply

Re: [cabfpub] SHA-1 exception request

2016-10-13 Thread Dean Coclin via Public
More responses below: On 12/10/16 16:50, Dean Coclin wrote: > [First Data] Yes. First Data requires POS vendors to certify to our > API’s which detail the signature algorithms that are supported and > also detail which ROOT CA’s must be used. Is this documentation available? Which root CA(s)