It's worth noting that StartCom isn't actually a free CA. They've demonstrated that with the business model they're using.
On Mon, Apr 21, 2014 at 6:18 PM, Peter Eckersley <[email protected]> wrote: > Removing Startcom from the trust root would be a catastrophe for the > security of Mozilla's users, since it would move the Web from one free CA > to zero free CAs, thereby forcing over a hundred thousand websites from > HTTPS (which is actually still not terrible, even if you had a window of > Heartbleed vulnerability) to HTTP (which is completely and utterly > insecurable). > > Startcom needs to implement support for free self-signed revocation, but I > don't think they're obliged to reissue for you. > > And my advice to any website that (a) wants to do something to feel better > about Heartbleed and (b) isn't willing to pay $25 for reissuance would be > to turn on Perfect Forward Secrecy and keep using their old cert. That's > going to get you to a better final state than revoking and using HTTP or > self-signed w/ cert warnings. > > > On 21 April 2014 17:50, Radu Hociung <[email protected]> wrote: > > > On Monday, April 21, 2014 12:32:43 PM UTC-4, Daniel Micay wrote: > > > Mozilla has all the > > > cards in their hands here. > > > > Indeed. I'm glad to see others before me reached the same conclusion, > that > > the appropriate response is to remove the trusted status of Startcom. > > > > The original bugzilla #994033 was closed, this issue has been debated in > > the mailing list for a few days, but what is the resolution? > > > > AFAICT, Mozilla's position is "Startcom is here to stay"? > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
