I just wanted to include a reply on this bug that I have been reading
the responses as they have been posted. I appreciate the feedback and
I'm still pretty torn, to be honest.
#1 - Debian does not distribute CAcert's web site code, so while the
question about its quality is technically irrelevant, it is still a
concern for the service. Since that code is open source, someone found
something that can be fixed. Cool. Can the same be said for every CA?
I think not. And I imagine there are multitudes of security issues
that could be found in any CA's web service, if the code was public.
Doesn't that make CAcert *more* transparent? Isn't this the whole point
of OSS?
#2 - All CAs included in ca-certificates are available to have the trust
turned off. If you have a concern about a particular CA and do not
trust them, disable that CA.
#3 - Yes, other linux/bsd distributions have removed CAcert's
certificates. Should Debian? Perhaps. Perhaps not.
I'll keep thinking about it. If the Debian NSS maintainer has a strong
opinion to remove CAcert's roots, then the same will happen in
ca-certificates, in order to maintain the same CA set. I just
personally have no strong opinion either way - I think it's great that
Debian supports such a project, and I think it would be a shame to
remove that support. I think every CA probably has it's warts, but the
CA system is what we have, good or bad.
Kind regards,
Michael
(resent to nss cloned bug)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
