On 04/28/2014 05:53 AM, Eric Mill wrote:
I appreciate how diligent you're being about responding to everyone.
And, as I've said elsewhere, I haven't believed that there's an
ethical problem with offering free certs with paid revocations as a
general business practice.
OK
Resist generalizing: would offering a one-time free revocation for any
domain whose owner says the word "Heartbleed" be feasible *right now*
for Startcom? Could Startcom get through it okay?
I don't think so, not without a financial loss, which we would have to
cover from somewhere else. A change to the business model would be more
likely in the future, which I however wouldn't really like to see, but
there are different options and considerations on the table.
All in all the actual result is rather positive with most subscribers
complying to the requirement and pay their fees, with the exception of a
rather noisy minority - which in turn I can understand too and maybe was
to be expected.
Presumably, your CRL lists have already expanded and your bandwidth
costs increased. If the number of vulnerable certificates is small
enough that you haven't felt guilt-ridden about charging them for
revocation, it should also be small enough that the additional
marginal cost of waiving the fees for them shouldn't cost you that
much.
I think the question about guilt isn't appropriate - I don't feel
guilt-ridden. We follow a policy and business model we decided long time
ago which is implemented. As any competitor can charge whatever they
want for whatever they want, they don't have to feel guilty either, they
are running a business.
Our CRLs doubled or more since the bug, our OCSP infrastructure isn't
exactly cheap either and those that receive the benefits from it are
charged a fee as we disclosed and implemented.
Part of having a
sustainable business is having enough of a buffer so that you can
weather an occasional tornado without having to lock your neighbors
out of the shelter.
I believe that's exactly the point, sustainability is important and we
took care that the operation will be sustained even in case of a tornado
(see also other reply to the list regarding insurance). The subscriber
has obligations too and if it happens, the subscriber has to carry some
of the costs (maybe never, maybe only once or maybe more than once,
that's the risk/benefit).
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
