Hi, I recently had to read into CACert, wether they are a good and practical thing to use for https ssl certificates, with browers red warning messages and what not. During my research I just stumbled across this bugreport and like to contribute my ยข2.1
I don't think the other discussion on -legal about the CACert wanna-be license is the way here. Instead lets' focus to Ansgar's original question: Should CACert.org be included? If we go back to when it was included into ca-certificates, in 2003[0], no one asked about the security of the CACert organization itself. David Ross hadn't yet started his Checklist (aka DRC, I only found a draft[1]) CACert probably didn't know what an audit is and even if, they didn't expect to still work on it. Instead that bug 213086 turned into a popularity vote just like the mozilla bug report did over the years (as critized by CACert's own auditor). Btw, that mozilla bug was just recently closed, invalid, after 10 years. The inclusion in 2003 didn't follow any procedings to check CACert's security. The certificate of a CA only a few months old was added without a thought! By distributing, trusting the CACert root certificates you are taking responsibility. On to the audit: CACert tried often, ran internal ones and in 2008 newly created root certifcates did fail[2]. root certificates! Not something community-specific like the assurers (who could be anybody). For the lower standard of Mozilla, they failed to complete, let alone keep the schedule. I wouldn't call them a greedy bunch of capitalists like some do with WebTrust. And for sure Mozilla's has an idea what an organization of volunteers is. You must admire someone like Ian Grigg[3] for still working on the audit. Possibly against people who scream: "We don't need this, it costs money." 10 grand/year for auditing CACert, hey that's what wikipedia can raise in an hour, and what less than what FreeBSD's Security Officer raised for his summer of code[4]. Speaking of: FreeBSD did remove[5] CACert's certifcates on grounds of their Security Officer not taking the risk of distributing an unaudited CA and Debian should ask the same questions. Looking at the ca-certificates package, mozilla-sanctioned certificates make up most of the bunch, CACert is one of two exceptions, next to spi-inc.org (which I never heard of until now). It smells like double standard for those two exceptions. I sincerely do hope CACert does complete the audit, the sooner the better. Removing their root certificates from ca-certificates, one of the few places where they are actually distributed, would put pressure on them to get their act together and pass that audit. ciao, tom [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213086 [1] http://rossde.com/CA_review/ [2] first paragraph http://wiki.cacert.org/AuditToDo [3] https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158 [4] Even People who want to work on making things more secure do get this sort of funding http://people.freebsd.org/~cperciva/funding.html [5] http://www.freshports.org/security/ca-roots/ PS: Sorry for sending from a mac. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
