On 30/04/14 23:48, Daniel Kahn Gillmor wrote: > So a CA who learns that a statement that it has made is untrue *should* > revoke that statement as soon as it finds out
However, how many of the free StartSSL certs that the owners now wish to revoke have actually been compromised by Heartbleed? Peter Eckersley of the EFF raised this aspect in [1]. That the owner revokes the cert because it ran on a vulnerable OpenSSL installation does not mean the key has been compromised; it's a precaution because it was a possibility. I'm torn on this issue. I feel StartSSL should do free revocations in such cases, but I don't think it's fair they have to burn a lot of money because another party, the OpenSSL dev team, made a mistake. I have no idea what it costs in man hours to revoke all those certificates, and I have no idea about the financial situation of StartSSL. Peter. [1] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/ItSu2bebBKk/7QBGYz5W0DQJ -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
