Hello, Am 04/29/2014 01:09 PM, schrieb Gervase Markham: > On 26/04/14 16:45, Zack Weinberg wrote: >> If a business chooses to give some or even all of its services away >> free, those who benefit from those services are still customers and >> still in the same ethical relationship with the business as people who >> paid for services (perhaps the same service, perhaps not). >> >> In particular, the business may *not* duck out of ethical obligations >> incurred by circumstances beyond any customer's control (e.g. >> catastrophic bugs in software everyone relies on ;-) just because some >> of its customers are not *paying* customers. > > Hi Zack, > > Let's imagine StartCom said to you: "OK, we will perform free > revocations for all Heartbleed-affected certificates, as you request. > And we are changing our business model to charge up-front for certs like > all the other CAs, so we don't get hit with a big cost like this again. > No more free-of-charge 1-year-valid certs on the Internet." > > Would you consider that a good trade-off, in terms of improving the > general security of the Internet?
Side note - since we're discussing of sth. else: I vote for "yes". Reasons: - At the moment, StartSSLcertificates are not free. They are advertised as free. But the fee for revocation make 'em non-free due to a certain probability. Free in 85% (or sth. %) of all cases is not free in general. - I think, revocation of assumed-to-be compromised certs is important for Internet security. There should be no tempting argument for not doing so in any situation. Laziness, costs are tempting arguments imho. - By advertising certs to be "non-free" and putting the actual price tag on it, alternate CAs like CAcert might get a boost in popularity, emphasizing their importance for global internet security. At the moment, many people skip CAcert in favor of StartSSL, cuase they just can get a "free" certificates in major browsers. I'd like to live in a world, were revocation is without any hassle an Community Driven CAs like CAcert are providing security for sites to be interested in. Greetz, Jan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
