On 29/04/14 00:16, Kathleen Wilson wrote: > My personal opinion… And mine:
Free-at-the-point-of-issuance certs have been a great thing for the Internet, and I would be very sad to see them go away. I also think in general that the charging structures of (non-insurance :-) business models are best when they reflect the cost structure incurred in providing the service. Otherwise, one set of customers is subsidising the other ones. (At the moment, for the other CAs, non-Heartbleed-vulnerable customers are subsidising the costs incurred by Heartbleed-vulnerable ones.) I do not understand the logic of "There is now an unexpected expense associated with doing the right thing. Despite the fact that my subscriber agreement says that I should bear that expense, I refuse to do the right thing until the CA bears the expense for me." That seems entirely wrong to me. A contract is a contract. If you don't like contracts which say that the subscriber should pay for revocations, don't sign one, and encourage others not to do so also. And if you signed one, you should meet your obligations. "Let your Yes be Yes, and your No be No." (Jesus). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy