On 27 April 2014 23:07, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 04/25/2014 08:50 PM, Jan Lühr wrote: > >> What's your argument here? Is "crying foul" "Unjustified", because >> nobody "cried foul" the moment you published your policies? >> > > It's unjustified if as a subscriber you are not willing to accept the > terms and conditions of that service, e.g. you want to accept the > convenient part of it but not commit to your obligations.
Since you bring up the question of subscriber obligations (and this is a slightly tangential issue)... If we take the StartSSL principle that subscribers need to pay a fee to request revocation even in the case of key compromise where there is no malpractice, but then combine it with the subscriber obligation to request revocation in the case of (confirmed?) key compromise, then in receiving a signed class 1 certificate, subscribers accept a financial liability in circumstances outside their control. Can this product therefore really be described as "100% Free"? In the heartbleed case most people only have suspected key compromise and not proven key compromise, so it can be argued that this problem hasn't kicked in. But given the year TLS has had so far, who's to know what'll happen next week? We're all stilling lessons from heartbleed. One lesson is that charging for revocation has wider practical implications than earlier thought; so revocation can't be decoupled from issuance, and therefore that to keep the blanket charge on revocation, StartSSL will have to forego the "No charge and 100% Free" branding on its class 1 certificates. Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy