Removing Startcom from the trust root would be a catastrophe for the security of Mozilla's users, since it would move the Web from one free CA to zero free CAs, thereby forcing over a hundred thousand websites from HTTPS (which is actually still not terrible, even if you had a window of Heartbleed vulnerability) to HTTP (which is completely and utterly insecurable).
Startcom needs to implement support for free self-signed revocation, but I don't think they're obliged to reissue for you. And my advice to any website that (a) wants to do something to feel better about Heartbleed and (b) isn't willing to pay $25 for reissuance would be to turn on Perfect Forward Secrecy and keep using their old cert. That's going to get you to a better final state than revoking and using HTTP or self-signed w/ cert warnings. On 21 April 2014 17:50, Radu Hociung <[email protected]> wrote: > On Monday, April 21, 2014 12:32:43 PM UTC-4, Daniel Micay wrote: > > Mozilla has all the > > cards in their hands here. > > Indeed. I'm glad to see others before me reached the same conclusion, that > the appropriate response is to remove the trusted status of Startcom. > > The original bugzilla #994033 was closed, this issue has been debated in > the mailing list for a few days, but what is the resolution? > > AFAICT, Mozilla's position is "Startcom is here to stay"? > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
