[cabfpub] SHA-1 exception request
Gervase Markham
gerv at mozilla.org
Wed Oct 12 08:59:39 MST 2016
On 12/10/16 16:50, Dean Coclin wrote:
> [First Data] Yes. First Data requires POS vendors to certify to our
> API’s which detail the signature algorithms that are supported and
> also detail which ROOT CA’s must be used.
Is this documentation available? Which root CA(s) are on the list?
> [First Data] We have multiple roots available to fall back to,
> however each of them would require us to use this SHA-1 procedure
> because all of the 300,000 devices require a SHA-1 end entity
> certificate.
And as it happens, none of them are in the set of roots that CAs have
pulled from browser root stores so they can continue SHA-1 issuance?
> As was pointed out in a previous application the risk is at issuance
> and is not affected by validity period. See link:
> https://cabforum.org/pipermail/public/2016-July/008007.html
Nevertheless, the SHA-1 deprecation process, as outlined in the BRs,
does not allow unlimited validity.
Mozilla is considering our response internally; we hope to have an
answer for you soon.
Gerv
More information about the Public
mailing list