[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Wed Oct 12 15:59:39 UTC 2016

On 12/10/16 16:50, Dean Coclin wrote:
> [First Data]  Yes. First Data requires POS vendors to certify to our
> API’s which detail the signature algorithms that are supported and
> also detail which ROOT CA’s must be used.

Is this documentation available? Which root CA(s) are on the list?

> [First Data] We have multiple roots available to fall back to,
> however each of them would require us to use this SHA-1 procedure
> because all of the 300,000 devices require a SHA-1 end entity
> certificate.

And as it happens, none of them are in the set of roots that CAs have
pulled from browser root stores so they can continue SHA-1 issuance?

> As was pointed out in a previous application the risk is at issuance
> and is not affected by validity period. See link:
> https://cabforum.org/pipermail/public/2016-July/008007.html

Nevertheless, the SHA-1 deprecation process, as outlined in the BRs,
does not allow unlimited validity.

Mozilla is considering our response internally; we hope to have an
answer for you soon.


More information about the Public mailing list