[cabfpub] Application for SHA-1 Issuance

Ryan Sleevi sleevi at google.com
Tue Jul 19 01:53:32 UTC 2016


On Mon, Jul 18, 2016 at 10:47 AM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> The response I received from TSYS regarding the OU value is as follows:
>
> "The value at the end of the OU, is an independent cryptographically
> created
> identity value used by TSYS Support for the sole purpose of identifying the
> site where the services terminate."
>

I'm hoping that TSYS might be able to provide a little more context here
about why these are needed, because I'm having trouble understanding this
reply.

I'll note Andrew is not the only person to have raised concerns about this;
Nick Lamb (CC'd) raised similar concerns in
https://groups.google.com/d/msg/mozilla.dev.security.policy/LM9tkZR9mLM/ACBIRX7GAAAJ
,

I can see several possible (likely benign) interpretations for TSYS's
reply, but it might be better if they could explain more or provide
additional context, so as to reassure the relying public about the purpose
of these values.

In addition, understanding the answers to Andrew's other questions -
particularly Question 3 - might help avoid the need for this issuance
entirely.

Question 1)
>From the timeline in #7, it sounds like TSYS didn't begin planning the
SHA-1 transition until 8 months after Symantec's communication (Jan 16,
2015 vs April 1, 2014), and only became aware of remaining systems with
potential issues on November 30, 2015 - is that correct? That is, I'm
having trouble making sense of the event that occurred on November 30,
2015, and do want to make sure I understand, since it sounds like this may
be a key part to understanding how we can do better in the Forum in the
future, at least with respect to this situation.

Question 2)
Based on the response to #8, one of the improvements is "Additional lead
times to implement solutions from CAs" - but I'm unsure what's meant by
that. It sounds like there was already a 20 month lead time for the
transition, with an 8 month gap before action was taken, and there were
still difficulties. Could TSYS perhaps expand on what was meant by this?
If, in the future, the Forum needs to deprecate something, the lead times
for that deprecation will necessarily be dictated by the Forum and its
deprecation schedule, so it's not entirely clear that we'll get better.

Question 3)
Based on #7, it sounds like Symantec's notification of the SHA-2 transition
on April 1, 2014 was the first notice that TSYS had about the need to
migrate away from SHA-1. It's also unclear if there were further
communications between then and November 30, 2015 (the internal report) and
December 15, 2015 (the need to accelerate). Is this correct? I'm asking to
try to understand if this issue may have been partly caused by a lack of
communication by the CA, a lack of communication by the industry, a lack of
clarity in the communications, or something else entirely.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160718/b5ea081f/attachment-0003.html>


More information about the Public mailing list