[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Thu Oct 13 19:37:55 UTC 2016

On 29/09/16 19:52, Dean Coclin wrote:
> In accordance with the SHA-1 Exception Request procedure, we hereby submit
> the attached request on behalf of our client. 

After consideration, Mozilla grants an exception for the issuance of
SHA-1 certificates, with the condition that they expire not after
December 31st 2016, in line with the policy Google drafted.

We accept there is a case to be made that duration does not directly
affect risk of issuance, but it affects risk of ongoing use, and it
affects the issue of moral hazard and fairness to other companies.

Mozilla's public purpose is to make the Internet a better place for
everyone, and that includes citizens whose credit card data passes
across it. We are saddened that various payment card industry standards
do not seem to put as high a value on the security of users' data as the
Internet community does.

Thanks to First Data for their honest answers to the questions put.


More information about the Public mailing list