On 04/29/2014 12:05 AM, Jan Lühr wrote:
Does StartSSL violate Mozilla's policies by not revoking certificates
assumed to be compromised?
(Compromised, due to heartbleed, not revoked, because of non-paying
subscribers?)
/Assumed/ it perhaps a good description since it's rather difficult to
confirm an actual compromise and if the certificate/key was supposedly
hosted at an affected server during its life-time.
We believe it's the responsibility of the subscriber to make the correct
assessment and do whatever is necessary to get the certificate revoked
(or not).
I don't want to speak for other CAs (as we are currently taking the
burnt on this one), but I'm pretty sure that other CAs have their limits
as well what revocations concerns and certificates are not endlessly
revoked. Netcraft reports about many reissued certificates, but
relatively few revocations:
http://news.netcraft.com/archives/2014/04/25/heartbleed-why-arent-certificates-being-revoked.html
So this can't be just an issue of StartCom, but perhaps easier to hit
because there is a charge involved. Our CRLs can be measured and I
believe we've done a fairly good job during those hectic days when the
bug was disclosed.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
