I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.
Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.
I wouldn't have put it better myself.
I just added a new update on the website.
Saturday, April 12, 09:50 (GMT-3)
OK, so here's my reply to Nikolai:
"Let me address this question.
> Anything about free revocations there?
It doesn't, but that's not relevant.
It's pretty damn clear: You see the evidence,
that alone should be enough for you to take action.
If you take Mozilla's policy by the letter,
one doesn't even have to own a certificate to be able to request its revocation.
All that should be needed is the evidence of compromise.
If I disclosed the private keys for a certificat I don't own,
would you just ignore that information?
Or would you come after the certificate owner demanding payment first?
You're a CA, A CA!!!
You should be worried about the security of the internet above all things.
You should also be worried that you have a bunch of green padlocks around that don't mean what they once did.
You're not worried about that.
So in my opinion you don't deserve the trust of the internet anymore.
I understand the word "must" to mean that they cannot add additional strings, such as payment, to their obligation to revoke the certificate. Is there another way of interpreting it that I am missing? I guess you could interpret it as "must provide a mechanism", but I can't see that that was the intent of the original document.
Mozilla's use of the word "must" here I think is important, because the barriers to correctly dealing with a security breach should be minimized. For better or worse, root CA's are entrusted with maintaining the security of large chunks of the internet. Charging users who suspect that their certificates _may_ have been compromised (due to the Heartbleed bug, in this case) will cause users to err on the side of inaction, which is going to weaken internet security in the long run.