This already went to Michael only, sorry I kept the rest of you out
by mistake.

 
Yes Michael, facts, that's the one thing this whole issue is missing.

Just read the request to add CACert into mozilla-firefox
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309564
Yes, this is was a request to do the one thing that
Mozilla itself didn't want. It is like asking Dad(ian)
for ice-cream after Mom(zilla) said no :D

In the very last mail of that discussion madduck turning the
burden of proof upside down.
You shouldn't argue why not to include or remove CACert,
it is CACert who has to proof rock-solid why it
should be considered for inclusion.

Another important aspect, which you find mentioned in the
long mozilla bugreport by mozilla staff and confirmed
by auditor Ian Grigg: Requests for inclusion should *only*
come from officals of the CA.
madduck may be a longtime assurer and have a feel for how good
CACert is, but simply can't have the insight a CACert board member
or auditor has.

But I just found one request that was official (msg #20), Venzuela's Suscerte
and I also see that in #37 you've referred them to Mozilla.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609942#20

It is a double standard that you are applying just for SPI and CACert.
Oh SPI, how did that get in? By a simple question from Mike Hommey[1]:
   "Now, realistically, adding CACert should be enough for Lenny. Maybe SPI,
    could be worth, too."
And madduck was happy to comply. We know nothing about SPI, how they create
their root certifactes, who can issue new ones and they didn't even ask for it.

Remember, we are talking root certificates here, they print passports,
not fake passports but the real ones.
They can print you one for google.com if they feel like it and it would be a 
real one.

I can research a little more if you feel you need more facts before
removing the CACert and SPI root certificates.

KDE years ago took a policy not to include unless an audit or big browser say 
it's okay.
https://bugs.kde.org/show_bug.cgi?id=74290#c16

ciao, tom

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309564#129


Am 14.09.2013 um 23:41 schrieb Michael Shuler <mich...@pbandjelly.org>:

> On 09/14/2013 12:15 PM, Thomas R. Koll wrote:
> 
> <..lots!..>
> 
> I appreciate you adding some good details and your thoughts to this bug
> report, Thomas.


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to