Hacker News new | past | comments | ask | show | jobs | submit login

They charge for things that impose costs on them: hosting revocation info and higher levels of identity verification.



The CRL file(s) could be hosted on any CDN worth their salt for less than the price of 4 people regenerating certs. SNI is also an option for newer clients.

It's pure profit/rent seeking. That same $25 applies regardless of the reason. OpenSSL compromised? Fuck you, pay me. Miskeyed the CN? Fuck you, pay me. Want a different type of cert for the same domain? (XMPP instead of web?) Fuck you, pay me. You get the idea. It doesn't cost $25 for a few byte fingerprint to be automatically appended to the end of a file.

In some of these cases they don't even need to revoke the other cert, just delete the erroneously created one from their system because it was never used anyways!

Never mind the fact that their UI would have been an embarrassment a decade ago, and they absolutely require certificate-based login to get into the UI, which is a huge PITA.


> The CRL file(s) could be hosted on any CDN worth their salt for less than the price of 4 people regenerating certs. SNI is also an option for newer clients.

Have you seen the article with Cloudflare and Globalsign's CRL?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: