The problem with this analysis, as with most libertarian analyses, is that it ignores externalities. The security of x.509 is a cooperative endeavor. The continued existence of compromised certificates from any CA undermines the security of the entire internet because you can no longer trust the browser padlock icon. So while it is certainly arguable that Start could justifiably refuse to provide a service for customers who have never paid, it is a much harder case to make that Start is justified in undermining the security of the internet because it chose (wisely or unwisely) to provide certificates for free.
It's not an externality of Start's business. They were up-front with their clients: revocation carries a handling fee. The externality you're referring to was caused by the users of StartSSL, who deliberately opted to pay nothing for SSL certificates that didn't have free revocation.
(Certificate revocation simply doesn't work regardless, but let's stipulate here that it does).
That assumes that all their clients were paying attention. That is almost certainly not the case. It is arguable where the responsibility lies in a case like this, but there is a case to be made that Start carries at least some of the responsibility for having created an environment where such a critical item was so easy to miss.
I am not saying that Start is in fact the villain it is being made out to be, only that the "you get what you pay for" argument should not be the last word.
You can't see them, but my eyebrows are raised. Start is famous for providing free SSL certificates; in fact, that may be all they're famous for. Virtually all other certificates cost money. What you're suggesting is that it wouldn't be the first question any reasonable person would have had, "what are the limitations of this free SSL certificate"?
I also find the notion that people would have gone elsewhere for their certificates had they only known Start's were irrevocable a bit dubious. More than a bit; "laughable" is perhaps a better word. From out here on the limb I'm standing on, I'll suggest that you probably (and quietly) agree.
This disagreement has spread into multiple branches of this thread. I'm going to try to consolidate all of my responses here to keep things from spinning too wildly out of control.
> I'll suggest that you probably (and quietly) agree.
I agree with most of the literal text of what you have written, but you still continue to ignore the salient fact that this is an unprecedented situation. The continued existence of large numbers of potentially compromised certificates undermines the entirety of X.509 because you can no longer trust the green padlock. The more un-revoked certificates exist in the wild, the less you can trust the entirety of X.509.
Under normal circumstances this wouldn't matter because the number of certificates that get compromised in the normal course of events is small, so the risk of encountering a compromised but un-revoked certificate is small. But in the current situation that is not the case. Vast numbers of private keys are potentially compromised with no way to know, and until something is done about that, the entirety of x.509 is undermined. Cert revocation is far from an ideal solution, but it's better than nothing. At least it offers the possibility of rejecting potentially compromised certs.
In the face of this unprecedented situation, Start's refusal to make any kind of contribution towards mitigation cannot be defended simply by saying that their users should have read the TOS more carefully because those users are not the ones who are being hurt. Everyone who relies on x.509 is being hurt (hence, externality). Start is in a position to make a major contribution towards the mitigation of this problem and the restoration of trust in x.509, and they are refusing to do so. They are entirely within their rights. But it is also not unreasonable to criticize them for choosing not to contribute to the common good.
The business model animating Start's terms is clear to both of us (we've both sold software long enough to see it). Start doesn't make money selling ads and they don't make money reselling personal information. And yet they give something valuable away for free. There's pretty much one model left for them to avail themselves of: upselling.
The Start deal is obvious: you can have an SSL certificate for free now, but that certificate is inappropriate for (for lack of a better term) "serious business" (actually, any business, as stated in their terms, but I digress). The idea behind the offering is that once you realize you actually get value out of the thing they gave you, you'll convert to a paying customer.
Revocation is, as is clearly stated, one of the points in their customer acquisition process at which window-shopping free SSL cert users convert to paying users.
This isn't a complicated analysis. It is the idea behind the offering. People revoking their certificates are demonstrating that they value them. Like most people who value their certs already did, they should simply pay for the new certificate. Failing that, they can (a) accept the minimal risk that their keys were compromised, or (b) change hostnames, kill the old hostname, and start up with a new certificate.
What's at stake here isn't the fate of the Internet. It's the convenience of "customers" who have a revealed $0 preference for security.
I'm guessing that neither of us like the CA cartel, but we deal with the world as it presents itself to us, not as we wish it to be. Support TACK! It's a step in the direction of less dependences on for-profit central authorities.
> The continued existence of compromised certificates from any CA undermines the security of the entire internet because you can no longer trust the browser padlock icon.
True, but my guess is that StartCom doing free revocations / reissues would only make a tiny dent in that situation.
That may be, but it's beside the point. Given that we have a situation where the continued viability of the internet depends on everyone rowing in the same direction, the argument that Start has no responsibility in this case because "you get what you pay for" should not carry the day.
The viability of the Internet in no way depends on Start's actions here. Certificate revocation is not in fact a giant "everyone row the same direction" coordinated effort to save the Internet. It's closer to theater than it is to triage.
I am curious why/how you concluded this was a libertarian analysis? Do you and tptacek have a history that gave you additional context to what he wrote? When I read it I did not see anything that screamed libertarian.
I didn't know whether he was a libertarian or not, but ignoring externalities is a hallmark of libertarian thought. I apologize if I made an unwarranted assumption. But the substance of my comment applies regardless.
The substance of your argument is that, having provided a free "no commercial use" SSL certificate that explicitly requires a $40 handling fee for revocation, Start has somehow assumed some obligation on the part of the users that opted into this scheme, and that their users' reticence in forking out money for revocation is an externality created by Start. I don't find that argument credible.
