At 1:28 PM -0700 6/8/08, Kyle Hamilton wrote: >How much does it cost the CA to mint a new certificate? How much >liability does the CA assume in the case where a subject's certificate >is used by someone other than the subject through no real fault of the >subject's?
Zero and zero. How much hassle is it for a customer of the CA to have its certs all of a sudden be rejected by all the clients that do OCSP or CRL checking? (Hint: much greater than zero.) >(This is one of the reasons why I don't believe it's viable to charge >per-certificate, but rather per-timeperiod.) Sure, but that's not the model most CAs have with their customers. I would bet that if a CA sent out a message saying "we're revoking your cert tomorrow, here's a new one" to all of its affected customers, fewer than 95% would have the new cert installed correctly. The remainder would be screwed, and the customer support lines (and I use that term very loosely) would be jammed. A better mechanism would be for the CAs to send out repeated letters saying that the keys are probably compromised and the certified party really really really should do an update. If they don't, it is now the responsibility of the certified party. --Paul Hoffman _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
