Am 10.04.2014 17:25, schrieb Pontus Engblom | DigiSSL AB: > But as a end here, try to get a new certificate for a new subdomain if > you can not pay $25. Or actually start to pay for SSL from the first > place?
The point is: issueing for free and revoking for fee is a model that will lead to non-revocation of certificates with leaked keys. Even if the business model is neither part of a CA's policy nor of the Mozilla CA review process, this is a critical point, especially (but not only) in combination with heartbleed. > To actually have a chance here as a CA you would need to contact every > certificate holder and get their SSL environment. Actually it's the obligation of the certificate owner to care about the security of the private key and to become active if something happens. At the end it is his server(s) that can be MITM-ed. > And to suspect every cert has been compromised well, then all CAs > would need to make a huge CRL Don't cry about that, Mozilla doesn't check them anyway. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
