On Sep 10, 2013, at 5:47 PM, John R Levine <johnl(_at_)taugh(_dot_)com> wrote:
How likely is it that they would risk their reputation and hence their entire
business by screwing around with free promo S/MIME certs?
I don't know. What happens if they are served with an NSL? I certainly
don't think they'd *choose* to do anything like this, but what if it's that or
jail? Remember, we know of at least one case of a business owner being
threatened with jail because he closed his business rather than do precisely
what we are discussing.
Remember too that the NSL doesn't even have to be served to the CEO—it could as
easily be served to a geek on staff. It's horrible to contemplate that such a
thing might happen, but based on what we know at this point, it's not
unreasonable to include this in our risk model. It is _definitely_ not in the
tin foil hat zone anymore.