On 26/04/14 16:45, Zack Weinberg wrote: > If a business chooses to give some or even all of its services away > free, those who benefit from those services are still customers and > still in the same ethical relationship with the business as people who > paid for services (perhaps the same service, perhaps not). > > In particular, the business may *not* duck out of ethical obligations > incurred by circumstances beyond any customer's control (e.g. > catastrophic bugs in software everyone relies on ;-) just because some > of its customers are not *paying* customers.
Hi Zack, Let's imagine StartCom said to you: "OK, we will perform free revocations for all Heartbleed-affected certificates, as you request. And we are changing our business model to charge up-front for certs like all the other CAs, so we don't get hit with a big cost like this again. No more free-of-charge 1-year-valid certs on the Internet." Would you consider that a good trade-off, in terms of improving the general security of the Internet? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy