I think pay-to-revoke is pretty bad for security, and therefore should not be allowed.
I also think it's unnacceptable for a CA not to care that they have a green padlocks around that don't mean what they're supposed to - like Startcom is doing, they've received revocation requests, but they are only revoking after payment. Mozilla and other browser vendors could stop this nonsense by providing their own CRL service - then anyone who has a certificate private key can revoke it. Would that be possible? Should we discuss about that? Cheers Tony On Tuesday, April 15, 2014 4:27:06 AM UTC-3, Matthias Hunstock wrote: > Am 11.04.2014 18:46, schrieb Peter Eckersley: > > > Of course, yes. For revocation this is the correct approach. > > > > Ah, for revocation. Your post read as if you meant reissuance also. > > > > Regards _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
