Hello, thanks you for your statement! I appreciate this a lot.
Am 04/29/2014 01:16 AM, schrieb Kathleen Wilson: >> assumed to be compromised? (Compromised, due to heartbleed, not >> revoked, because of non-paying subscribers?) >> > > > In regards to policy… > > In general, Mozilla’s CA Policy does not tell CAs how to structure > the finances of their business. > > According to Mozilla’s CA Maintenance Policy, a CA has to revoke a > cert when “the CA obtains reasonable evidence that the subscriber’s > private key … has been compromised or is suspected of compromise”. > Does showing that the subscriber was running a bad version of > OpenSSL count? Many sites that were vulnerable to heartbleed were > not provably compromised. Mozilla’s CA Maintenance policy does not > say that a CA has to revoke a cert if the software on the server > had a bug in it. > If the subscriber shows evidence (logs, etc) that their private key > was accessed or compromised, then the CA is required to revoke the > certificate. But Mozilla’s CA Policy does *not* say that a CA has > to issue a replacement cert. Ok - I take this as a "StartSSL is not violating Mozilla's policies" - I think that by the nature of heartbleed hardly anybody is able to provide this evidence. I think, the debate is settled now and will leave it. Thanks to you all for your helpful input! > > My personal opinion… > > I have personally benefited from "free" certs, and would be sad to > see such services go away. However, I understand that in light of > recent events CAs who have previously offered free certs might > consider adding an up-front fee or shrinking the certificate > validity period for free certs. I benefited from free services, too. But - personally - the risk of being fooled by assumed-to-be compromised certs is more important to me. By that decision, I removed StartSSL from my truststore. But - as said - this is a personal decision and I don't see any reason for arguing about that. > The heartbleed bug caught many of us by surprise, and has caused > many of us to reconsider our policies and practices regarding > revocation. 100% agree - sadly :-/ > A positive side effect is that more attention will be put on > revocation. (more about this later) Being positive here is a nice thing. :-) I'm more and more depressed about the state of PKIs and TLS / SSL out there :-( Greetz, Jan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
