Peter Eckersley dixit: >On 10 April 2014 00:46, Kaspar Janßen <[email protected]> wrote:
>> If someone pays 100 USD for certification, he consideres to pay 100 USD >> for revocation. If someone doesn't pay for certification, he will >> hesitate to pay even 1 USD for revocation. No. I fully expect a revocation for security reasons (as opposed to just a customer saying so out of a whim) to be free of cost, in all cases. It is acceptable for the CA to not reissue a cert to that customer subsequently. A rekey would be preferable. >> That makes me question if a certificate signed by StartCom can be >> considered as trustworthy. >> >> I confrontated StartCom with my doubs and pleased them to find a way to >> solve this hurdle. They wrote me: "This will not happen without changing >> the entire business model". >Kaspar, suppose that Mozilla followed your suggestion and removed >StartCom's root certificates from its trust store (or revoked them!). What >would the consequences of that decision be, for the large number of domains >that rely on StartCom certs? Mozilla is big enough to make StartCom reconsider this stance (especially as approximately two or three people *did* get the fee waived – I, along with several others, didn’t, and there are cases where such a fee cannot realistically be paid). And, if not, well, bite the bullet. Distrusting StartCom would aversely affect me too, but unless StartCom changed their stance until Friday, 16:00 UTC, I’ll be pushing for removal of all of their certificates from the root store. This is not a contractual matter between StartCom and their users. This is about the stability of the cryptographic ecosystem, and, in this case, a CA, every CA, has a public responsibility (especially due to the oligopoly they have). See also my eMail <[email protected]> which apparently hasn’t made it to this list yet. bye, //mirabilos -- (gnutls can also be used, but if you are compiling lynx for your own use, there is no reason to consider using that package) -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
