Hi Tom, On Sun, September 15, 2013 01:16, Thomas R. Koll wrote: > But I just found one request that was official (msg #20), Venzuela's > Suscerte > and I also see that in #37 you've referred them to Mozilla. > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609942#20 > > It is a double standard that you are applying just for SPI and CACert.
I think you're confusing two things here. The inclusion process of the past, which was just that CA's needed advocating votes from project members. The current process is to just rely on what Mozilla does. So this explains how the certificates got here, but it's not really relevant. The question is to now judge whether CAcert and SPI should remain here, and they need not be tied together. First, CAcert. CAcert is a bit of a special case because it's the only real community CA, and in that sense very different from the other CA's, and in that sense also close at heart to the way Debian operates. I fully agree that CAcert has been less than stellar in the past on the trustworthiness area. Nonetheless, I do not perceive the current situation to have any sign of there being a real threat or risk to the model. I would be inclined to keep the status quo, as to give this sympathetic community effort, which can't "just" get itself audited, a chance. As said, I don't think we would gain significant added security in Debian by dropping it, even though there probably would be enough concerns when it would be newly added. I know, it's more an inclination than a fact-based reasoning. But this is precisely because CAcert is special and it is a fact that it operates very differently from commercial CA's. > And madduck was happy to comply. We know nothing about SPI, how they > create their root certifactes, who can issue new ones and they didn't > even ask for it. Why do you think we know nothing about it? SPI is an association very closely associated with Debian. We know a lot about SPI and its workings. Indeed there has been discussion at SPI whether SPI should be buying or distributing commercial certificates for its members, but it currently does not. We can keep SPI trusted in any case since it's inherently trusted by the project. Debian is already root on your system, so trusting them to be root but not trusting them with certificate issuance seems not logical to me. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
