So, if StartCom is removed from trusted CAs you will have to buy a new certificate and spend $$$, something you obviously want to avoid. That's stupid.
And worse, the Debian developers would be at fault.
This is a sticky situation, really. On one hand, StartCom's pricing structure is fairly upfront. On the other hand, extracting $25 from every customer because of a bug they have no control over is dick behavior of the highest order.
Ideally they'd put out a notice saying that they will offer a one-time rekey for free. Without getting into ethics, it's an entirely automated process and costs Startcom absolutely nothing.
I don't think it is dick behavior at all. That has always been their policy. They have no control of the software originating the problem. It is up to them to wave or not but not choosing to doesn't make the anything but a business.
What else do CAs profit from if it isn't security vulnerabilities?
Their whole purpose is to help with the authentication side of security. They didn't force anyone to use buggy code written by a third party and it is not their fault that many of their customers have gone and done so.
I use a StartCom certificate, but it has never been used with OpenSSL, so I'm fine.
It costs money to maintain a CRL.
Maybe they could revoke their intermediate certificate and reissue certificates to everyone. That would take time to coordinate, and every month that goes by 1/12 of the bad certs expire anyway.
It's an awfully sketchy business model. Like inverse insurance.
That's not the issue though. Most people are not StartCom customers and couldn't care less.
They still care about what that padlock icon signifies and that's why it's pertinent of large vendors to consider the CA status of StartCom in a situation like this.
> It's an awfully sketchy business model. Like inverse insurance.
You mean "Real Life" if I buy an item from manufacturer X, and it breaks due to a product from manufacturer Y (which almost everyone uses with the product I bought since it's complementary), it would be nice if manufacturer X would replace the item for free, but it's not sketchy or a dick move if they don't.
No, not at all. That's not how SSL certificate revocation works.
If the certificate is not revoked when compromised, the party harmed may not be the StartCom customer, but anyone still trusting certificates issued by them.
When this is happening on a large scale, considering the CA status of StartCom is certainly due dilligence.
This is a sticky situation, really. On one hand, StartCom's pricing structure is fairly upfront. On the other hand, extracting $25 from every customer because of a bug they have no control over is dick behavior of the highest order.
Ideally they'd put out a notice saying that they will offer a one-time rekey for free. Without getting into ethics, it's an entirely automated process and costs Startcom absolutely nothing.