This means that Symantec also needs to ask the maintainers of other trusted root certificate programs, like Microsoft and Apple, for permission.
If it gets the go-ahead, this will establish a precedent and other companies might come asking for additional exemptions. Mozilla acknowledged that it is willing to consider similar requests on a case by case basis, if those requests are made at least two weeks in advance of the expected issuing date for new certificates.
"We understand that there are payment processing organizations other than Worldpay that continue to have similar requirements for SHA-1 -- either within the Web PKI [public key infrastructure] or outside it," Barnes said. "It is disappointing that these organizations are putting the public’s data at risk by using a weak, outdated security technology. We encourage organizations with a continuing need for SHA-1 in the Web PKI to come forward as soon as possible and provide as much detail as possible about their plans for a transition to SHA-2."
This is not the first and probably won't be the last concession that browser makers will have to make regarding their plan to retire SHA-1 certificates from the Internet.
In January, Mozilla was forced to undo a change that it made in Firefox to ban all SHA-1 certificates issued after Jan. 1. It turned out that some security devices that performed man-in-the-middle SSL/TLS traffic inspection were using self-signed SHA-1 certificates. Because of the ban, Firefox users on networks that used such devices were suddenly unable to access any HTTPS websites.
Meanwhile, Facebook and CloudFlare are pushing for the creation of a new class of SHA-1-signed certificates that HTTPS websites would be allowed to use only with legacy browsers and mobile clients that don't support SHA-2 certificates.
Sign up for CIO Asia eNewsletters.