[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Thu Oct 13 15:22:54 UTC 2016

On 13/10/16 14:16, Dean Coclin wrote:
> [First Data]  Yes.  We send them directly to integrators. They are
> not published on a website.  At the point a device vendor certifies
> to our network we currently specify one Root which is the VeriSign
> G5. With the emergence of 2048bit certs, we established a policy of
> specifying a single Root.

I would gently suggest that this is a single point of failure for your
entire network, and it would be wiser to specify at least two roots,
operated by different CAs.

In fact, given that space to store roots is cheap even in the tiniest
embedded devices, why not two roots by each of two companies?


More information about the Public mailing list