On 4/28/14, 2:05 PM, Jan Lühr wrote:
Does StartSSL violate Mozilla's policies by not revoking certificates
assumed to be compromised?
(Compromised, due to heartbleed, not revoked, because of non-paying
subscribers?)
In regards to policy…
In general, Mozilla’s CA Policy does not tell CAs how to structure the
finances of their business.
According to Mozilla’s CA Maintenance Policy, a CA has to revoke a cert
when “the CA obtains reasonable evidence that the subscriber’s private
key … has been compromised or is suspected of compromise”. Does showing
that the subscriber was running a bad version of OpenSSL count? Many
sites that were vulnerable to heartbleed were not provably compromised.
Mozilla’s CA Maintenance policy does not say that a CA has to revoke a
cert if the software on the server had a bug in it.
If the subscriber shows evidence (logs, etc) that their private key was
accessed or compromised, then the CA is required to revoke the
certificate. But Mozilla’s CA Policy does *not* say that a CA has to
issue a replacement cert.
My personal opinion…
I have personally benefited from "free" certs, and would be sad to see
such services go away. However, I understand that in light of recent
events CAs who have previously offered free certs might consider adding
an up-front fee or shrinking the certificate validity period for free
certs.
The heartbleed bug caught many of us by surprise, and has caused many of
us to reconsider our policies and practices regarding revocation. A
positive side effect is that more attention will be put on revocation.
(more about this later)
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
