TL/DR from the Mozilla bugzilla (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=994033" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=994033</a>)
There doesn't appear to be a definitive argument as to should they or should they not waive their revocation fee.<p>On the side of StartCom an extremly resonable point as to why they should not waive their fee:<p>> Every other certificate provider requires payment for certificates. StartCom is the one provider offering free certificates, which goes a long way to spreading TLS and https more broadly, and the complaint here is that they're daring to charge a fee to maintain their revocation list? Removing them over that would do more harm than good to security.<p>And the also very reasonable counter point:<p>> The problem is that thanks to Heartbleed we now have potentially leaked private keys (leaked due to circumstances outside of the control of anyone) and thus insecure sites.
Now with StartSSL charging for every single revoked certificate they are encouraging people to "eh, the chance my key got leaked is so low, I'll just stay with my old certificate" thinking and behaviour.
This is actively compromising the security of SSL and consumers (no one I know checks the SSL vendor on certificates of sites they visit if there's the lock icon and it says it is trustworthy). Therefor customers and site users expose themselves to potential security risks while the browser ensures them they are communicating securely with the website.<p>At the very least its refreshing to see that people aren't just jumping on the rage bandwagon of, "OMG you mean I have to pay for something that you said I'd have to pay for. You are evil".<p>It's nice to see some even handed analysis of the situation!
I don't think that "charging for services you said you would charge for" is anywhere near reason enough to revoke a root certificate. I would be very disappointed by Debian if they actually went through with this.
Disclaimer: I have a number of free StartCom certificates.<p>However, even though I own some certs with StartCom, I personally think this comment has literally no basis.<p>Looking at the CA market - if anything - we should be happy that a CA like StartCom exists. It is a very small team lead by Eddy Nigg (he is very helpful by the way) and given that they are the ONLY ones (as far as I am aware) offering free certs - we should applaud them. Besides, the fee for revoking is very small.<p>I also was very much aware that revoking a cert had a charge before I signed up for one - I think it is pretty clear - so not a problem for me at all. Of course if I had to revoke a cert because of StartCom's mistake that would be a different story.<p>Bare in mind these are only domain validated certificates - perfect for small website owners who wish to offer their site over httpS without paying any extra fee.
Seems unlikely to happen based on what was said in the thread.<p>> Whatever you and I think of this pricing structure, people free to chose any
provider of certificates that matches their pricing interest and that people
are knowingly or should be knowlingly buying a product that has a certain
price structure when they get the certificates in the first place.<p>> Revoking a certificate is generally primarily in the interest of the owner of
said certificate so there is incentive to actually pay this fee.<p>> I do not believe it is Debian's place to pass judgement on which pricing
scheme people should prefer, even if you and I personally rather pay up front
and have no costs on revocation.
Not getting involved in the politics of being charged for revocations/re-keying, however it's worth pointing out that Google Chrome (linux and windows, and Chromium) all seem to have the "Check for server certificate revocation" option disabled by default.
Certificate revocation infrastructure (OSCP or CRL server) is something that needs to be maintained constantly (versus certificate requests, which are a one shot deal). In order to maintain that revocation, they have to keep serving it out for as long as someone might use your cert. It makes perfect sense to charge for it.
Hats off to the Debian developer. I can not believe the report was handled so politely. This is one of the silliest bug reports I have seen. I can not think of what the possible thought process was that led to the formation and submission of this bug report.<p><pre><code> # dpkg-reconfigure -p low ca-certificates</code></pre>
So, if StartCom is removed from trusted CAs you will have to buy a new certificate and spend $$$, something you obviously want to avoid. That's stupid.
There's more discussion on the Mozilla bugzilla, linked from this report:<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=994033" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=994033</a>
Either this request is naive, or I am.<p>As I understand it, not all StartCom certificates are necessarily vulnerable. I have a number of StartSSL certificates issued before 4/7 that, according to the HeartBleed checker here[1] are not vulnerable.<p>Is it wrong for me to assume that the tool is correct, or is it wrong to assume that all StartCom certificates are necessarily vulnerable?<p>[1] - <a href="http://filippo.io/Heartbleed/" rel="nofollow">http://filippo.io/Heartbleed/</a>
> A user comment here says the CVE was cited, and StartSSL waived the revocation fee.<p>Seems like a straightforward solution for them to implement.