Hi, initially i filled a bugreport [1] about the consequences of CVE-2014-0160 but this seems to be a better place for a discussion. There were still a discussion about the problem which may be interesing.
To give a short introduction: StartCom is offering free Class 1 certificates under the label StartSSL. The certification is completly free of charge but the revocation costs 25 USD. The Problem: I don't think that this is much money but I think this will prevent many people from renewing their keys which should be considered as compromised. They are, maybe not intentionally, throwing people in the pool but they don't check if they can swim. Customers of other companies were faced to the decision if they would like and can spend money for TLS. But due to the free certification, people tend to create dedicated keys for every service. That is good for the encryption side but bad if these people know have to pay ~10 * 25 USD. As a result of that, the most people just will not change their keys. That makes me question if a certificate signed by StartCom can be considered as trustworthy. I confrontated StartCom with my doubs and pleased them to find a way to solve this hurdle. They wrote me: "This will not happen without changing the entire business model". In germany, this _could_ be considered as fraud but they don't comply to european law anyway. The Consequence: I would like to start a discussion about that and the reactions. My Idea is that there should be a general policy that says that a revocation can't cost more that the creation or something like that. If someone pays 100 USD for certification, he consideres to pay 100 USD for revocation. If someone doesn't pay for certification, he will hesitate to pay even 1 USD for revocation. Yours sincerely, Kaspar Janßen > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=994033 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
