On 04/28/2014 10:11 AM, Jeremy Brookman wrote:
If we take the StartSSL principle that subscribers need to pay a fee to request revocation even in the case of key compromise where there is no malpractice, but then combine it with the subscriber obligation to request revocation in the case of (confirmed?) key compromise, then in receiving a signed class 1 certificate, subscribers accept a financial liability in circumstances outside their control.
That's probably true, it's not a negligence on part of the subscriber, in this case it's probably simply bad luck (a different software could have had a bug with similar result at a different time). We've seen it in the past that it can happen (weak keys).
Can this product therefore really be described as "100% Free"?
That's of course a question of interpretation and probably also of simplicity. Not all services are free of charge of course and our FAQ tries to explain that like this:
https://www.startssl.com/?app=25#90 (item 90) -- Regards Signer: Eddy Nigg, COO/CTO StartCom Ltd. <http://www.startcom.org> XMPP: start...@startcom.org <xmpp:start...@startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Twitter: Follow Me <http://twitter.com/eddy_nigg> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy