On 28 April 2014 08:48, Jürgen Brauckmann <brauckm...@dfn-cert.de> wrote:
> Jeremy Brookman schrieb: > > > > We're all stilling lessons from heartbleed. One lesson is that charging > > for revocation has wider practical implications than earlier thought; > > Which practical implications do you refer to? > Sorry, that was poorly expressed. I meant that needing revocation because of key compromise resulting from security bugs seemed to be a more theoretical than practical consideration; now it's become more real (for me at least; others with more experience might have been more aware already). In particular, for private servers it seemed unlikely. I could imagine needing to revoke a certificate because, say, I'd made a mistake somewhere and needed the certificate reissuing (maybe losing the key or something, or even ), but not otherwise; it seemed to be more a consideration for larger organizations where more people had access to the private key, and there was more likely to be a breach of trust. Live and learn! Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy