My $0.02 is that by charging a fee in order to revoke the certificate of a compromised key, StartCom is violating section #2 of the Mozilla CA Certificate Maintenance Policy which requires that certificates be revoked under certain circumstances, including reasonable evidence that the private key is compromised.
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Whether or not StartCom can charge (or should) fees for revocations has come up on this list before. https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/3naC_Qosfq4/G90NCqzVuK8J In principle I actually agree with Eddy (who is the owner of StartCom) that it isn't the role of Mozilla to dictate a business model to the CAs. The exception to this is that it is Mozilla's role to dictate some security policies to the CAs and these security policies can impact some business models. In this case it is revocation of compromised certificates as stated under section #2 of the CA Policy. The CA policy requires these certificates to be revoked if there is reasonable beliefe that the private keys may be compromised, by making revocation contingent on receiving payment, a CA will fail to comply with this section if a customer does not pay. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
