-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Walter Goulet skrev 2014-04-10 15:59:> On Thursday, April 10, 2014 4:10:58 AM UTC-5, Kaspar Janßen wrote: >> On 10/04/14 10:08, Peter Eckersley wrote: >> >> <snip> >> >> The key is that anybody should be able to shout out "don't trust >> me >> >> anymore!" without a fee. Isn't that part of the trustchain idea? >> >> <snip> >> >> Kaspar > > Hi Kaspar, > > Your message is very timely; I have a domain I own using a > StartSSL Class 1 certificate that I was planning on requesting revocation for due to Heartbleed. I had no idea that I had to pay for revocation either; in my mind this changes the entire value proposition of their offering. I personally have not yet decided if I will indeed revoke, but I will be dropping a line to them to inform them that this 'revocation fee' should clearly be stated on their website and that their 'free' Class 1 certificate is not actually free if you need to pay for security controls like revocation! > > Walter _______________________________________________
Hi there Walter, I would like to inform you that when you get a service you tend to read the FAQs and Certificate Policy Statements, i.e StartSSL have a FAQ where a whole bunch of numbers concern revocation and handling fees. http://www.startssl.com/?app=25#72 (#70 to #74). So please do not claim they do not clearly state it, either you didn't read or didn't care to read. Now they do not charge the certificate in anyway for revocation, it's merely a handling fee, i.e the guys that work there need to get paid to do their job. I can agree that some certificates _MIGHT_ be compromised and need revocation, but as StartSSL stated earlier, if you got no intention of paying $24.90 you could also create a _NEW_ certificate with a different subdomain and replace yours, that would cost you.. nothing? https://bugzilla.mozilla.org/show_bug.cgi?id=994033#c4 But I can not for the life of me see why we can't pay $24.90, they have given us a service for free and now when we need to do something we think its wrong of them to charge us? Compare it to the real world, companies must make money somehow its just a question of how and where. A good point of this is by Marcus Sundberg in the bug #994033, https://bugzilla.mozilla.org/show_bug.cgi?id=994033#c23 Also this is issue is quite hard to handle, it is unknown how many certs that actually have been compromised since it's not traceable. As Rob Stradling said; > The Mozilla CA Certificate Maintenance Policy (Version 2.2) [1] > says (emphasis mine): > > "CAs _must revoke_ Certificates that they have issued upon the occurrence of any of the following events: > ... - the CA obtains _reasonable evidence_ that the subscriber’s private key (corresponding to the public key in the certificate) has been compromised or is _suspected of compromise_ (e.g. Debian weak keys)" This is a bit of an issue here, we don't know whom might have been targeted with this bug, I find it hard that low traffic domains could have been compromised but theres a possibility, in this case there is no way to get reasonable evidence of a subscriber loosing its private key. And to suspect every cert has been compromised well, then all CAs would need to make a huge CRL and pretty much revoke any certificate that's been active during this incident, as all might be suspected of compromise. - From the cabfpub; > Heartbleed Bug Impact > > If the servers in your SSL environment do not use OpenSSL, if your servers > use OpenSSL 1.0.0 or earlier, if your servers do not use OpenSSL > 1.0.2-beta1, or if your servers are compiled without the heartbeat extension > enabled, then your environment is not vulnerable to the Heartbleed > Bug attack. > > However, if your servers are running an OpenSSL version 1.0.1 through 1.0.1f > with the heartbeat extension enabled, then your environment is vulnerable to > a Heartbleed Bug attack. Although no Heartbleed Bug attacks have > been documented, it is impossible to know if the Heartbleed Bug vulnerability has > been exploited because the attack does not leave a trace. To actually have a chance here as a CA you would need to contact every certificate holder and get their SSL environment. Most servers usually run on older versions, for instance Debian squeeze have OpenSSL 0.9.8o. Therefor it's hard to say how many have been impacted, how many that has been targeted and what the next step would be. But as a end here, try to get a new certificate for a new subdomain if you can not pay $25. Or actually start to pay for SSL from the first place? I mean, nothing is really free in the world, something got to cost. IMHO this removing of StartCom is just bogus. Maybe that Mozilla can go together and force out a policy of instant removal from clients if they request so, but until then, they have been included, they have given out numerous certificates and even considering removing them from the trust store because of this is ludicrous. - -- Pontus Engblom -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTRrf6AAoJEGtXimUqCrbRDTcH/1tM952lyP/x31UzgjdS511V NI1+rWbuaTQpgS6NpKFVsHzMZtHDKcJe6zeHcvNAoU3QGe9Ws3soh2ixXedlflMZ DlUhJbr+Tgpakf6+valaE1+Sd1PmKkU5U6+cZYGg1Y1GvZzaW6Oi3SNjovdM5s1M FDpLT3zf7wWrgXqr2SqeLeS6bFTVZIAd/S+G8wfNVabXmirlzQwZR3lNmHIwKZGN s1f7Nak81lmuiyMYO5GUFxo9FzbRpiuEfLCZYjvbU1plrmJ+CfPXmnyOWi15UI0D 9lV9JOOS2Y0iF44nPpJZEq9vfJhu5FRnESjwGdRM/o8eFqlk37YflPHAvOCQf+4= =51dE -----END PGP SIGNATURE----- _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
