Access to www.gnupg.org only via TLS

Peter Lebbing peter at digitalbrains.com
Thu May 1 11:57:42 CEST 2014


On 30/04/14 23:48, Daniel Kahn Gillmor wrote:
> So a CA who learns that a statement that it has made is untrue *should*
> revoke that statement as soon as it finds out

However, how many of the free StartSSL certs that the owners now wish to revoke
have actually been compromised by Heartbleed? Peter Eckersley of the EFF raised
this aspect in [1]. That the owner revokes the cert because it ran on a
vulnerable OpenSSL installation does not mean the key has been compromised; it's
a precaution because it was a possibility.

I'm torn on this issue. I feel StartSSL should do free revocations in such
cases, but I don't think it's fair they have to burn a lot of money because
another party, the OpenSSL dev team, made a mistake. I have no idea what it
costs in man hours to revoke all those certificates, and I have no idea about
the financial situation of StartSSL.

Peter.

[1]
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/ItSu2bebBKk/7QBGYz5W0DQJ

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list