[cabfpub] Application for SHA-1 Issuance

Dean Coclin Dean_Coclin at symantec.com
Tue Jul 19 20:56:55 UTC 2016 

Please see responses below, posted on behalf of TSYS.



From: public-bounces at cabforum.org On Behalf Of Andrew R. Whalley







The response I received from TSYS regarding the OU value is as follows:

"The value at the end of the OU, is an independent cryptographically created
identity value used by TSYS Support for the sole purpose of identifying the
site where the services terminate."



It would be useful to get more information on this point.  For example:



* Is this required for correct operation of the systems using the 
certificates?

It is not critical for SSL/TLS operations, however is used to distinguish 
different certificates on different ports at the same site for the same 
domain.  It provides the Support Teams (non-technical teams) with a guaranteed 
unique value to confirm the client is attempting to access the correct 
service.


* Is the cryptographic operation something simple we could verify such as the 
hash of the site name that could be provided?

The value is not a hash, it is a site identifying value that is randomly 
generated using Agile Bits 1Password 6.4.3 Password Algorithms.  It is 
indented to remain sticky to the site/host going forward and will be used on 
all subsequent certificate replacements of the same Certificate Type.



* Are any earlier existing certs that have the same style of OU value 
available for inspection?

In the payment space, no, the additional element was added due to the 
challenges teams had confirming a host and by certificate name when multiple 
Virtual IPs/Ports exist for the same domain name.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160719/6751bb22/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160719/6751bb22/attachment-0001.p7s>

More information about the Public mailing list