I'm curious what the status of this bug is -- is there a plan to remove
CAcert in the next upload?
As far as I can tell, the only CA certificate sources making an active
decision to ship CAcert are Debian, Mageia, and OpenBSD. All other
OSes/distributions that do ship CAcert by default and trust it by
default[3] do so either because they're downstream from Debian (in the
case of e.g. Ubuntu) or because they are using Debian's package (in the
case of e.g. Gentoo[4] and Arch[5]). Gentoo seems to have no policy or
rules about what's included. OpenBSD seems to have no policy, possibly
other than "reasonably sane" and "We should probably think carefully" (see
r1.1 in [2]).
A friend of mine once complained to me that this means that webmasters who
use Debian (or a Debian derivative) as their personal OS will often fall
into the trap of setting up a website using CAcert, test it on their own
machine, and then be surprised when users not on Debian get untrusted
certificate errors. This is a pretty strong negative effect on usable
security, and seems like a disservice to Debian users and other users of
this bundle. Since it seems unlikely, eight years later, that CA curators
who don't currently include CAcert are likely to start until they pass
their audit, and Debian's CA bundle is by far the most widely-used of the
bundles that include CAcert, the positive value of Debian continuing to
ship CAcert's root on the grounds of solidarity with their mission seems
nil.
For what it's worth, I also agree with the security concerns about CAcert
-- I'm a little surprised that, given the code quality of the file that
Ansgar found a vulnerability in, the root wasn't immediately distrusted.
The specific reason I looked at this bug was that I found myself replying
to a Reddit comment advocating for CAcert's inclusion in places other than
Debian, and having to explain that Debian is not endorsing CAcert's
security:
http://www.reddit.com/r/technology/comments/1qj1tz/http_20_to_be_https_only/cddfmz0?context=1
Debian's continued inclusion of CAcert in the default certificate store is
inevitably interpreted as an endorsement of their security practices,
despite the disclaimer in the package description (see also the discussion
in #647848).
Incidentally, GlobalSign is now offering gratis wildcard certificates for
"open source projects"[6], which they define as actively maintained
projects under an OSI-approved license. Between that and StartCom's gratis
offering[7], in my opinion 95% of the practical use cases for keeping
CACert in Debian are probably covered.
[1]
http://svnweb.mageia.org/packages/cauldron/rootcerts/current/SPECS/rootcerts.spec?view=markup
[2] http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem
[3] http://wiki.cacert.org/InclusionStatus
[4]
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-certificates/ca-certificates-20130906.ebuild?view=markup
[5] https://www.archlinux.org/packages/core/any/ca-certificates/
[6] https://www.globalsign.com/ssl/ssl-open-source/
[7] http://www.startssl.com/?app=1
--
Geoffrey Thomas
http://ldpreload.com
geo...@ldpreload.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
