-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Am Fr den 14. Mär 2014 um 6:31 schrieb Thomas R. Koll: > Am 13.03.2014 um 17:21 schrieb Christoph Anton Mitterer > <cales...@scientia.net>: > > I doubt that the removal of CAcert was a good decision? > > I wish you would have read the whole the bug report, especially the history > of how the CACert root certificate came into ca-certificates.
I believe, he did as I and many more too. Hovever, I cannot prove for him. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#20 and > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#30 > > In a nutshell, if you want CACert to be re-added you must prove > CACert and its infrastructure is trustworthy. > Something CACert has attempted but even their internal audits have failed. Well, CAcert is not more or less trustworth as every other CA in the package. In fact, I would trust them much more that such suspect CAs as TURKTRUST or Verisign. The certificate was in this package for long time and was a proper source for the admin to enable it or not. Now it is gone and this is breaking many work flows. If you want to only include trustworth CAs in the package, then you might better do a rm -fr *. I do believe that no one in debian is able to validate every single CA. It is not a point to readd a certificate than to revert to the unbroken state before. > Please do not reason against the removal, instead you have to > prove (every year in my eyes) that CACert is trustworthy. Sure, as soon as you prove that TURKTRUST is trustworthy or Verisign or Wells_Fargo or China_Internet_Network_Information_Center (Just to name few). On the other hand, for example Verisign had some bad news records in the last years. (I do not have a link anymore) > Please stop dragging other CAs around for comparison, every CA has to > prove trustworthiness on their own. No, I for myself will never stop with that until you show that you set the same measurement for all certs. I do not think that any of the CAs was checked for trustworthiness before including them in ca-certificates. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.de> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCgAGBQJTItHaAAoJEKZ8CrGAGfas/tsL/iXjwBjsuxcXxI6QXrcpaDTZ vYuTfQSOk4tjJEslMiTHw7+Hnikm8Vxhbnk9e/eq4Il54ua24lNFbytOUGrUY1kS jeuPGfTO0BpBVtauUgpOGMVAOOAMOWmogCNW8K9ov2IIlK5q69Z4kbjof/9YZSn3 tCov205ukXIlaZkNrg15Xh76qR8VcvGqgfFwzAujjDCVgo4R3fT+8rczcE0k7LUP YdHzP9mXN7Jl2X4UGABL2SUUmQGQaeIY2JOT8DMSEk1++3l8PkkPyRzGmBn8ldkj WRLQhyvINCStlBnzmyBsUSXTavei5uiaLHeUgFs8MoLg4qu/OQOmZuegbMIPJ+gp ccSqt4DSKoETEDFnzuMTcNsxyiprTS5Qnd83E9i9dsKlcwMAr0VkIcuxQcZJKt0I jw7Wzks9Ukjmq9rdWIw21AqbpWbiXcxqqUZ20P8bldqKgT6+1qPIZ76s2NNhBOAA fvfdJOrHdyX20iuTo9BOps72T5JXfKrRODmTEBnxAQ== =BeXK -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
