[cabfpub] SHA-1 exception request

Gervase Markham gerv at mozilla.org
Tue Oct 18 21:00:02 UTC 2016

Hi Dean,

We discussed this this morning, but this draft was half-written, so:

On 13/10/16 21:58, Dean Coclin wrote:
> Thank you for the prompt response to First Data's application. While we 
> appreciate the approval and await responses from other browsers, I'd like to 
> point out that this deadline doesn't really help First Data and the merchants 
> much.

It gives them up to an extra two months to fix things, if they want it.

If having everything break on 31st December is a problem, First Data
always have the option of permanently upgrading their infrastructure to
SHA-2 on a more convenient date earlier than that. They have control
over when they stop using SHA-1.

So it's wrong to characterise this as a "December 31st cutoff".

> First Data requested an expiration in March and while I understand Mozilla's 
> reluctance to approve a date that late, I was hoping they would at least 
> receive equal treatment as TSYS with a February 9th expiration. 

TSYS was a bit unfortunate - not sure how that happened. I seem to
remember I was moving house at the time, and conditioned my acceptance
on Google's acceptance. I want to be consistent, and now I'm faced with
the choice of being consistent with policy or with precedent. Having
weighed this up, the moral hazard argument is most weighty. Other
companies have bust a gut to get this done by the end of the year. And
it would be ridiculous that, come 1st January, my blog would be required
to have better security in order to work than a merchant handling my
credit card.


More information about the Public mailing list