Thanks for your contribution Pontus. On 10/04/14 18:10, Pontus Engblom wrote: > This assumes that the domain has been targeted yes and that a evil > person would want to harm users using that domain yes. > > If we go in an event like this, it's not actually the CAs fault, neither > the system administrators fault, this was a bug. Who should we really blame? Admins a telling StartCom that they are holding an valid certificate to an compromised key but they keep the cert valid. Why should Mozilla trust their root anymore? > If we are to blame the CA for not revocating, why aren't there a > proposal for a explicit policy that forces CAs to remove certs that > users ask for, but it's up to the CA to then either charge the client > for a new certificate or not do business with that client. This discussion shouldn't just lead to a decision about StartCom. We need a policy that generally prohibits a fee for a revocation.
I am not sure if a rekey should be part of a companies freedom or not. I could image that StartCom would say they revoke the certs for free but want the fee for rekeying. In real life this wouldn't change much. At the end of the day, they would stay untrustworthy due to we have to assume a large number of compromised but active certs. The rule of encryption: in doubt compromised! > > I am not really sure about this, but I never said that I support not > revocating, all I say is that this is one way for StartSSL to actually > earn some income. Which I must say can not be easy when everyone just > want the stuff for free and not pay at all for security. To stretch it a little bit: If we assume that they don't have a working business model. Maybe I should donate them some money.. maybe in reward of *.google.com? I think I wouldn't be the only interested person. Maybe the NASA? :D It's clear what I mean. This also doesn't make a CA more trustworthy. > Yes, they have no obligation to give us free certificates either. They > could start charging us like any other CA, that would just end up in > lots of unsecured domains. Most people that holds a Class 1 I doubt > would want to pay for SSL, at the current price ranges, but what do I know. If a website is plaintext you know what you have. Also if it is self-signed. Someone could still use CaCert or build an own CA. If a CA is in the truststore, he should behave responsible. If this is not possible with a reliable and free offer then we have to deal with it. I don't want to lift the CaCert problem. - end of response - On some comments and on twitter I read things like "crying freetards" and things like that. This makes me angry. I bet these people never heard of things like BEAST or Compression Side Channel Attacks. We are dancing with really bad problems in TLS and know there is a widely trusted CA who gives a **** what he keeps signed. Sorry but this is ridiculous, otherwise the EFF could stop the the development of https everywhere and start feed the world. No they won't and that is good. Kaspar _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
