[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Mon Oct 10 16:57:26 UTC 2016

On 10/10/16 17:36, Peter Bowen wrote:
> According to Visa’s website, POS terminal vendors must cease selling
> devices that don’t support SHA-2 by April 30, 2017 (the “Device
> Expiration Date”).  However Visa has not set sunset date for such
> devices.  Their usage requirement says “Allowed if purchased prior to
> expiration date”.

My word. I guess I now know why they call them "POS" terminals.

I note that in January 2011, NIST recommended[0] that "SHA-1 shall not
be used for digital signature generation after December 31, 2013."
Nearly six years after that recommendation, and three years after the
deadline, Visa has still not set a date when the security of our payment
transaction data will stop relying on this algorithm.


[0] Special Publication 800-131A

More information about the Public mailing list