On 12/06/2013 10:15 PM, Michael Shuler wrote: > Thanks for the clarification, I misunderstood. This would be possible, > but it makes for an interesting question of toggling other CAs, which I > don't care to take on, since it seems to be a rather polar and emotional > conversation.
Deciding to eject CAs *also* raises the question of ejecting other CAs.
I don't think we can get around the fact that this is a difficult
decision to make, and no one actually wants to be in the position of
making it. But if debian is shipping a bundle of CAs, we are actually
making that decision; even if we punt the details of the decision to
"major browser vendor(s)", we're deciding which vendor(s) to defer to.
As an OS distributor, we are forced to make these decisions (or at least
the defaults) for our users because of structural flaws in the global
environment that enables the CA cartel. Saying "hey, it's up to
mozilla" and washing our hands of the matter doesn't seem particularly
> It it already simple to drop in a local certificate, as
> well as create a local cert deb package. In my opinion, the question
> really is binary - we either ship it and trust it, or we don't.
Having the certificate shipped in the debian package but disabled by
default is still useful: it provides an easy and standard way for
administrators who are willing to rely on CAcert to know that they have
the expected certificate, rather than having to fetch the CACert package
via some potentially unreliable channel.
Thanks for thinking about this problem for debian and its users.
--dkg
signature.asc
Description: OpenPGP digital signature
