On Thu, Apr 10, 2014 at 10:55:17 -0700, Dave Cridland wrote: > I absolutely agree; however I'd also suggest that the point is moot. > The question isn't whether or not people should have known, or even > did know, that StartCom's business model is based around charging fees > for revocations. > > It doesn't matter whether anyone thinks this is fair or not - I think > it's a dangerous business practise, and I'm surprised that it's > considered in line with §2 of Mozilla's CA Certificate Maintenance > Policy, but that again is largely irrelevant. >
Given that Mozilla no longer checks CRLs anyway, the discussion in general may be largely irrelevant: https://bugzilla.mozilla.org/show_bug.cgi?id=867465#c12 OCSP is still alive and kicking, but it has some pretty notable issues regarding how easy it is to make it soft-fail: https://www.imperialviolet.org/2012/02/05/crlsets.html In light of all of this, removal of the CA from Mozilla for this would be a bit out of proportion. After all, if a certificate is revoked in the forest and no one is around to watch, is it really revoked? -- Jon _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
