On 04/30/2014 03:40 PM, Faramir wrote: > It is like providing free airplane tickets, and then charging for the > parachute.
I like this analogy, but it only covers one part of the CA's relationships -- the relationship with the subscriber. But the CA also has other relationships, including its relationship with the so-called relying parties. Another way to put it is: the CA's job, in the bigger picture of the X.509 ecosystem, is to say *only true things*. Anywhere that a CA says untrue things, it is failing its job, and relying parties cannot rely on it. A CA isn't obliged to say *all* true things, but it is obliged to say *only* true things. So a CA who learns that a statement that it has made is untrue *should* revoke that statement as soon as it finds out (oh, i wish our revocation infrastructure actually worked properly too, but that's a different rant). The fact that a CA knows that one of its outstanding statements is untrue, but it will not revoke it until someone else has paid it to do so should be deeply disturbing for anyone who is a relying party on that CA. (and since Startcom is pre-loaded in almost every major trust store, that means that everyone is a relying party on Startcom by default) --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users