Op woensdag 9 april 2014 15:07:08 schreef Klemens Baum: > Package: ca-certificates > > Following the OpenSSL CVE-2014-0160 "Heartbleed" vulnerability [1,2], > any certificate that was used with an vulnerable version of OpenSSL (I > read somewhere 1/3 of the web) should be handled as it is compromised. > > Compromised certificates have to be replaced with new ones (new keys) > and the old ones should be revoked. > > StartCom provides cheap and even free SSL certificates via the > StartSSL brand. However, certificates revoking cerificates requires a > US$ 24.90 fee [3].
Whatever you and I think of this pricing structure, people free to chose any provider of certificates that matches their pricing interest and that people are knowingly or should be knowlingly buying a product that has a certain price structure when they get the certificates in the first place. Revoking a certificate is generally primarily in the interest of the owner of said certificate so there is incentive to actually pay this fee. I do not believe it is Debian's place to pass judgement on which pricing scheme people should prefer, even if you and I personally rather pay up front and have no costs on revocation. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.