So, getting a certificate for free, isn't free? Or are they just a free CA up until you need to revocate?
Every business need to get a income from something, now this fee was put on revocations to keep people from revocating/re-issuing etc, think before you buy or whatever you like to call it. The $25 fee been there since around 2010 at least according to web.archive.org, meaning that none of your certificates can be claimed "Well hey, this policy wasn't there when I signed up". Yeah, it kinda was. And yes, I agree with Peter that maybe it would be better to implement free revocation from StartCom's side but take out a fee for reissue, that might be a plan for the future. Now post-heartbleed we have learned that if you have a certificate at StartCom, you have to pay to get it revoked (but some people claimed their certs got revoked without paying), most people that seek to StartCom is just in it for the padlock, their not willing to invest any money whatsoever into security (if so, they clearly would have paid the $25 and carried on with their day), we should really be focusing on a Mozilla revocation policy, which must be a lot clearer (and *stricter*?). Tyler Szabo skrev 2014-04-22 07:18: > It's worth noting that StartCom isn't actually a free CA. They've > demonstrated that with the business model they're using. > > > On Mon, Apr 21, 2014 at 6:18 PM, Peter Eckersley > <[email protected]> wrote: > >> Removing Startcom from the trust root would be a catastrophe for >> the security of Mozilla's users, since it would move the Web from >> one free CA to zero free CAs, thereby forcing over a hundred >> thousand websites from HTTPS (which is actually still not >> terrible, even if you had a window of Heartbleed vulnerability) >> to HTTP (which is completely and utterly insecurable). >> >> Startcom needs to implement support for free self-signed >> revocation, but I don't think they're obliged to reissue for >> you. >> >> And my advice to any website that (a) wants to do something to >> feel better about Heartbleed and (b) isn't willing to pay $25 for >> reissuance would be to turn on Perfect Forward Secrecy and keep >> using their old cert. That's going to get you to a better final >> state than revoking and using HTTP or self-signed w/ cert >> warnings. >> >> >> On 21 April 2014 17:50, Radu Hociung <[email protected]> wrote: >> >>> On Monday, April 21, 2014 12:32:43 PM UTC-4, Daniel Micay >>> wrote: >>>> Mozilla has all the cards in their hands here. >>> >>> Indeed. I'm glad to see others before me reached the same >>> conclusion, >> that >>> the appropriate response is to remove the trusted status of >>> Startcom. >>> >>> The original bugzilla #994033 was closed, this issue has been >>> debated in the mailing list for a few days, but what is the >>> resolution? >>> >>> AFAICT, Mozilla's position is "Startcom is here to stay"? >>> _______________________________________________ >>> dev-security-policy mailing list >>> [email protected] >>> https://lists.mozilla.org/listinfo/dev-security-policy >>> >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy > mailing list [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
