On Sep 10, 2013, at 5:47 PM, John R Levine <johnl@xxxxxxxxx> wrote: > How likely is it that they would risk their reputation and hence their entire business by screwing around with free promo S/MIME certs? I don't know. What happens if they are served with an NSL? I certainly don't think they'd *choose* to do anything like this, but what if it's that or jail? Remember, we know of at least one case of a business owner being threatened with jail because he closed his business rather than do precisely what we are discussing. Remember too that the NSL doesn't even have to be served to the CEO—it could as easily be served to a geek on staff. It's horrible to contemplate that such a thing might happen, but based on what we know at this point, it's not unreasonable to include this in our risk model. It is _definitely_ not in the tin foil hat zone anymore.