I doubt that the removal of CAcert was a good decision... We include such doubtful CAs as CNNIC, TURKTRUST, and all the (ultimately) NSA controlled US-based CAs... so whether the audit of CAcert looks promising now or not does not really matter that much, if you compare it to the others. And we just include the others because Mozilla does so, and Mozilla itself is highly criticised in many bugs by security experts for some of their choices. Actually, Mozilla seems to include everything, as soon as the CA fulfils some basic rules (which however no one really verifies) - and even if comes out that a CA was untrustworthy and broke the rules, they don't remove them but rather just believe in good faith that in the future everything will change... o.O
And many of the other commercial CAs have proven dozens of times that they are neither trustworthy, nor particular competent. And as for the license... First it's questionable whether a certificate is licensable at all (I mean it's just some numbers)... and even if... then what about the other certs that we got from mozilla? Do we really know whether all these certs are DFSG compatible? So I don't quite see the use of removing the CAcert.org certificates (actually I wonder why we have ca-certificates at all, since it seems to be merely the Mozilla CA package)... since it was for most Debian users the only way to get them in a secure manner. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
