Kaspar, suppose that Mozilla followed your suggestion and removed StartCom's root certificates from its trust store (or revoked them!). What would the consequences of that decision be, for the large number of domains that rely on StartCom certs?
On 10 April 2014 00:46, Kaspar Janßen <[email protected]> wrote: > Hi, > > initially i filled a bugreport [1] about the consequences of > CVE-2014-0160 but this seems to be a better place for a discussion. > There were still a discussion about the problem which may be interesing. > > To give a short introduction: StartCom is offering free Class 1 > certificates under the label StartSSL. The certification is completly > free of charge but the revocation costs 25 USD. > > The Problem: I don't think that this is much money but I think this will > prevent many people from renewing their keys which should be considered > as compromised. > > They are, maybe not intentionally, throwing people in the pool but they > don't check if they can swim. Customers of other companies were faced to > the decision if they would like and can spend money for TLS. But due to > the free certification, people tend to create dedicated keys for every > service. That is good for the encryption side but bad if these people > know have to pay ~10 * 25 USD. > > As a result of that, the most people just will not change their keys. > That makes me question if a certificate signed by StartCom can be > considered as trustworthy. > > I confrontated StartCom with my doubs and pleased them to find a way to > solve this hurdle. They wrote me: "This will not happen without changing > the entire business model". > > In germany, this _could_ be considered as fraud but they don't comply to > european law anyway. > > The Consequence: I would like to start a discussion about that and the > reactions. My Idea is that there should be a general policy that says > that a revocation can't cost more that the creation or something like that. > > If someone pays 100 USD for certification, he consideres to pay 100 USD > for revocation. If someone doesn't pay for certification, he will > hesitate to pay even 1 USD for revocation. > > > Yours sincerely, > > Kaspar Janßen > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=994033 > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
