Greetings, I believe the presence of Startcom's root CA enables much of the Internet user population to be MITM'd via pkeys leaked (due to the Heartbleed bug), whose owners won't pay Startcom to revoke their respective certs.
The decision to not revoke is an economic one for most customers of the "Free StartSSL cert", and even if those customers change pkeys and switch to other CA's for their certificates, the users of their websites remain at risk until the StartSSL certs expire. In this case, Startcom's business model indirectly puts a lot of end users at risk of MITM, and thus makes it incompatible with their goal of securing communications. IMO, the way to plug this gaping hole is to remove Startcom's CA from the list of trusted issuers. Such an action would break a lot of websites, potentially causing more harm than allowing some of these sites to be MITM'ed. But knowingly allowing (possibly widespread) MITM does not seem like a good alternative either, and would further erode general population's trust in SSL. Thank you, Radu. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy