-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/23/2014 11:51 AM, Eddy Nigg wrote: > On 04/10/2014 07:05 PM, Eddy Nigg wrote: > > Alright - things have calmed down luckily by now. As my first input > to the discussion please read carefully my explanation, thoughts > and comments I've written down in my blog at > https://blog.startcom.org/?p=230
I would like to point out that this assumption > According to my understanding of this vulnerability, for [the private > key to be leaked] an attacker must have performed the attack on the > server right after a restart when the private key is loaded into > memory and still within the first 64K allocated memory space has been demonstrated to be false: due to further implementation bugs, one of the RSA secret primes, 'p', has a chance to be copied to a higher memory address, and not erased thereafter, upon each new TLS handshake. Please see http://www.lightbluetouchpaper.org/2014/04/25/heartbleed-and-rsa-private-keys/ for more detail. That being the case, Heartbleed-related revocations should, per section 4.9.1 of https://www.startssl.com/policy.pdf, be handled as the case where "the subscriber's key is suspected to be compromised". It is my understanding of that document that such revocations do *not* carry a handling fee; handling fees only apply to the final clause in the list ("the subscriber makes a request for revocation") *without* any of the other cases applying. (I admit that the document is ambiguous - you should also redraft it to make the scope of the (*) footnote clearer.) Moreover, it is my personal opinion that as a matter of basic business ethics, this is a cost you (or rather, your insurance) should absorb, not your customers. zw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWoniAAoJEJH8wytnaapk0uAQAMdB3/IEWgHr+MdM4OBy/V1p vG5Hkxa5hWJfrRs9zKc7L/30nzBeGaUqSzr6z++u/utVDbL6i0xc8Q02U31+CasJ cC7XeytpId+au1cd6uf2el3CbSc12mQGHzSYXczqW0ThawL0JaEfscfol7TXTfDH MS1qW6mTnzRtgwJLRUrV9tywqaB1zEAfH9JqwWO9XHQ+Ssl6/1TZ8C8VBYXl6A4M D4tZS/KPEpRdPCrgg23MsV7cNawmPJiX6Xt7JGB979CfiCwc7j3+iEpqdtPkvCAT SHvye1CTfDPn5wKWi1b5e7O0zhzn/rTU16Wi8nV6K1WN8POgaukdxEzEvbrp9XKA xLcbu/ynYlD2icfqkE0Z0hBZFYraFOaksQbmIkVW7fmb1o3QVJDULpQRoQ8NjTp7 //XvK4gPTipAVl7h6ga4cr0ReY4tws9BflgovWVKj3ZOnI8D6q0Tiwix4q5zTs/2 g7OHVW2zndmTrjOGY+DsZEb0GoIeE/1vt8emegmF1kbvijMyUazlSvrZlLULGMA3 yxZabJTBgJgisYhG3FbzFHLKjc4It6R8Jy1i9w7KHFlnFYYglo7K0Ch2IHSPC21E dibDD4STURX4F/5gxcwwaBHizh2MH65xNBo4nL/4sAtr6fP3XQaNSWI8yKBR/Cji +VTeKZTjjm3MsTuDonSc =r8JA -----END PGP SIGNATURE----- _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
