Hello, Am 28.04.2014 um 00:07 schrieb Eddy Nigg <[email protected]>:
> On 04/25/2014 08:50 PM, Jan Lühr wrote: >> What's your argument here? Is "crying foul" "Unjustified", because >> nobody "cried foul" the moment you published your policies? > > It's unjustified if as a subscriber you are not willing to accept the terms > and conditions of that service, e.g. you want to accept the convenient part > of it but not commit to your obligations. > >> Please consider: Heartbleed-scale problems have hardly happened before. > > True - the closest would be probably the Debian weak keys. > >> I'ven't considered any mass-key-compromise scenarios before > > I did - I learned from the Debian weak keys a lot. > >> Personally, I am "crying foul" because I'm re-thinking your policies >> having heartbleed in mind. > > You can't really rethink our policies, this is something we might have to do > at some point. You can either agree or disagree with them though. I can changed my mind. I try to learn from errors / mistakes I made, while reflecting / rethinking. As stated earlier, I’ven’t considered mass key compromise so far. Is it my fault? Yes it is and you can blame me for doing so. But this is not the point we’re talking about. > >> Personally, I vote no. StartSSL is not revoking certificates assumed to >> be compromised, if a subscriber doesn't pay. > > You are expecting to receive all benefits without taking responsibility for > your part? Absolutely not. I’m not expecting any benefits and it’s not about that. It’s about the community (aka Mozilla) accepting StartSSL's gift (aka free certificates) by including StartSSL in your their products - or - rejecting it due to side constraints (aka revocation policy). To make this clear: Nobody is expecting StartSSL to do anything for free! Do what ever you like, for the price tag you like. I expect StartSSL to follow mozilla’s policies if they’re shipped with their products. This is one of the criteria _everybody_ needs to follow to be included. Don’t follow it - fine. Give out certificates for free while not being in the truststore (aka being a competitor of CAcert): Fine, I don’t care. > Or lets put it like this: > > As you stated before, how likely is it that such an event like this one > occurs? It might have never happened and in fact some 83% are not affected > (world-wide), which means that they will happily keep obtaining certificates > without ever paying a dime. Would you have used a different software, you > could be easily one of those 83% too. > > Now, exactly because of this and other scenarios, where revocation of a > certificate is necessary or is requested for any other reason by the > subscriber and it's not due to a failure of the CA we decided to charge a fee > in order to protect us from losses. We’re not taking about a provider customer relationship (aka: who has to pay?, who is to blame?) here. It’s about: What is the impact of StartSSL policies? I can do the math, too, but there’re no math and no probabilities in mozilla's policies: It is safety first - imho. > Otherwise the current business model would probably not work...and I'm not > even talking about easy abuse that's possible with the current model without > raising a fee. I’m perfectly fine with raising fees. This is ok - imho. But please do this while following mozilla’s policies. Greetz, Jan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
