Don't sell your namesake domain short! Sure, the Google domains are subject to different types of attacks than most others but any domain with a cert has value. For example, I'd be happy to use gerv.net as a landing page for my spam campaign or as a phishing site or, even better, as a host for malware in my malvertising activities.
All I'm saying is that revocation is valuable for everyone in all sorts of ways. Original Message From: Gervase Markham Sent: Friday, October 7, 2016 4:37 AM To: Peter Gutmann; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.com/revocation/crlsets.htm). That statistic assumes that all revocations are equal, which is clearly not true. A revoked cert for www.google.com is orders of magnitude more important to Chrome users than one for www.gerv.net. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy