-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 01-05-2014 5:57, Peter Lebbing escribió:
> On 30/04/14 23:48, Daniel Kahn Gillmor wrote:
>> So a CA who learns that a statement that it has made is untrue
>> *should* revoke that statement as soon as it finds out
>
> However, how many of the free StartSSL certs that the owners now
> wish to revoke have actually been compromised by Heartbleed? Peter
> Eckersley of the EFF raised
...
IMHO, Heartbleed is not the point, any certificate suspected (or
even worst, known) to have been compromised should be revoked. I
wonder what would happen if a stolen certificate is used to do a
fraud, and the affected customers can prove the CA was aware of the
compromise and refused to revoke it because they didn't get money.
I'm glad StartSSL provide certificates for free, but I'd rather
have them asking a nominal fee to issue the certificate rather than
asking it to revoke it in case of dissaster. In my case, I don't own a
credit card, and I can't send money to paypal, so eventually I might
be tempted to get a free certificate, but would be unable to pay a
nominal fee to revoke it, not because I don't have money, but because
I don't have any way to deliver it to the CA.
I also agree that using CAcert certificates may be very
uncomfortable, since the root certificate must be manually added to
the browser, and we (yes, I'm part of CAcert community, and used to
collaborate in policy group) have been unable to produce a license
that both covers CAcert (you know, the "as is, we don't claim this is
reliable" stuff), and also can be interpreted as compatible with free
software philosophy.
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCAAGBQJTYxuYAAoJEMV4f6PvczxAa3oH/0U7qFBtLqPB+FeMVvNkPCS0
rPt6XkdtrK39UCAgcxJZMcy4RmUcRI6atcjV1DCSP5Rc41aDBE+0uVlHHUTh7Ns2
gXBOA5LJ82WNZqAwNBW12uakdN7iwDnddtMPrUVheoX+is9fqQgLFRKwMnz1ohZf
w2GkkWJGai0AZQ8jP6ZYzmR0lHyGOy05ZMAeV/f03WcE2/8ObtSPBmjko4dfe8GT
YM7ZRfkHTECQMK1qiCF6DUDfJP0ZdlVvF2cXzz7QM9U7pKWtHrJ3FL7nz1AWnmG0
pJi6ILKS3I3sCllwWlnA5RH5fjjmLgQ3tFnrtjnKyp24KmIa7T+0j4ID6LeYUqA=
=Y92P
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
