[cabfpub] Application for SHA-1 Issuance

Dean Coclin Dean_Coclin at symantec.com
Mon Jul 18 22:25:23 UTC 2016 

Posted on behalf of TSYS in response to Gerv's inquiry:

Some terminals need to be replaced with other physical hardware, while others require a download to an updated application.  TSYS cannot make hardware purchasing decisions on behalf of our clients, and clients and merchants need to be consulted on a range of available replacement devices.  As for terminal downloads to an updated application, these must be performed at the device by a person (the updates cannot be "pushed").  TSYS and our clients have been communicating to impacted merchants by mail, e-mail, and telephone regarding the needed updates.  As for the reduction from 300K to 60K terminals, this was accomplished by efforts to confirm certain applications did not need to be updated (applications not owned or provisioned by TSYS) that were on initial "potential" impact lists, as well as successful outbound campaigns to impacted merchants to perform terminal downloads to an updated application.



-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, July 18, 2016 10:32 AM
To: Dean Coclin <Dean_Coclin at symantec.com>; Andrew Ayer <andrew at sslmate.com>
Cc: Bryan Smoak <BryanSmoak at tsys.com>; public at cabforum.org
Subject: Re: [cabfpub] Application for SHA-1 Issuance

On 16/07/16 22:29, Dean Coclin wrote:
>> Enclosed please find the application for SHA-1 issuance presented on 
>> behalf of our client. Note that the application was fully completed 
>> by the client.

This document says:

> * SHA ‐1 certificate on terminal expires on August 3, 2016
> * Terminal may still reside at merchant location
> * Terminal contains an expired certificate ...

This is confusing because it makes it sound like the SHA-1 certificates are client certificates inside the 60K outstanding clients. But the request is only for issuance of 8 certificates. Is this part of the document poorly worded?

> Merchants may then be required to purchase a replacement terminal 
> which can take numerous days to remedy

Presumably as the terminal in this case can't support SHA-256, this is the end outcome in all circumstances? If that's the case, why has TSYS not been either proactively sending terminals to clients, or sending software updates which notify users to obtain new terminals, or using some other method of communication to get these terminals replaced before the deadline?

It says elsewhere that they have got down from 300K to 60K terminals.
What methods led to this reduction? Will the merchant in the above scenario have ignored one or more communications from TSYS or their partners requiring them to replace their terminal?

Gerv

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160718/914bec36/attachment-0001.p7s>

More information about the Public mailing list