Re: Revocation Policy

Mon, 28 Apr 2014 12:22:18 -0700 

On 04/28/2014 05:53 AM, Eric Mill wrote:

I appreciate how diligent you're being about responding to everyone.
And, as I've said elsewhere, I haven't believed that there's an
ethical problem with offering free certs with paid revocations as a
general business practice.


OK


Resist generalizing: would offering a one-time free revocation for any
domain whose owner says the word "Heartbleed" be feasible *right now*
for Startcom? Could Startcom get through it okay?



I don't think so, not without a financial loss, which we would have to 
cover from somewhere else. A change to the business model would be more 
likely in the future, which I however wouldn't really like to see, but 
there are different options and considerations on the table.



All in all the actual result is rather positive with most subscribers 
complying to the requirement and pay their fees, with the exception of a 
rather noisy minority - which in turn I can understand too and maybe was 
to be expected.



Presumably, your CRL lists have already expanded and your bandwidth
costs increased. If the number of vulnerable certificates is small
enough that you haven't felt guilt-ridden about charging them for
revocation, it should also be small enough that the additional
marginal cost of waiving the fees for them shouldn't cost you that
much.



I think the question about guilt isn't appropriate - I don't feel 
guilt-ridden. We follow a policy and business model we decided long time 
ago which is implemented. As any competitor can charge whatever they 
want for whatever they want, they don't have to feel guilty either, they 
are running a business.



Our CRLs doubled or more since the bug, our OCSP infrastructure isn't 
exactly cheap either and those that receive the benefits from it are 
charged a fee as we disclosed and implemented.



Part of having a
sustainable business is having enough of a buffer so that you can
weather an occasional tornado without having to lock your neighbors
out of the shelter.



I believe that's exactly the point, sustainability is important and we 
took care that the operation will be sustained even in case of a tornado 
(see also other reply to the list regarding insurance). The subscriber 
has obligations too and if it happens, the subscriber has to carry some 
of the costs (maybe never, maybe only once or maybe more than once, 
that's the risk/benefit).


--
Regards
Signer:         Eddy Nigg, COO/CTO
        StartCom Ltd. <http://www.startcom.org>
XMPP:   start...@startcom.org <xmpp:start...@startcom.org>
Blog:   Join the Revolution! <http://blog.startcom.org>
Twitter:        Follow Me <http://twitter.com/eddy_nigg>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to