On Fri, 2014-03-14 at 06:31 +0100, Thomas R. Koll wrote: > In a nutshell, if you want CACert to be re-added you must prove > CACert and its infrastructure is trustworthy. > Something CACert has attempted but even their internal audits have failed. Well but to be honest... that is plain stupid and makes it somehow questionable whether you understand the stuff and especially problems behind X.509.
You will never be able to guarantee trustworthiness of any of these certs for Debian's users. Full stop. And countless examples of other commercial CAs proved this. Diginotar, Digicert, Turktrust, etc. They all were in the Mozilla bundle,.. they all passed their audits, they all failed miserable... and these are just the tip of the ice rock we know about. You can be a 100% sure, that CNNIC and US controlled CAs are used by their respective governments for attack... and even if those CAs would not want that, they would have to,... e.g. when being forced by national security letters in the US... they couldn't even tell the public what they were doing due to the gag order. > ca-certificates didn’t have much of a policy until recently, but giving that > a good, secure policy can take quite some work, relying on Mozilla > is a sensible policy. Well but the Mozilla policy is worthless and actually Mozilla proved several times now, that they deliberately include CAs which are proven to be not trustworthy. > Plus that SPI root cert, but they run debian infrastructure. And if you really go by the argument, that only trustworthy CAs should be included, that was the _only_ one which I'd agree to be worth to include. > Please do not reason against the removal, instead you have to > prove (every year in my eyes) that CACert is trustworthy. I do not argue against the removal, I rather argue against the general policy, since I think it makes no sense. Does any of the CAs in the Mozilla bundle prove you to be trustworthy? Or is it just because Mozilla added them (probably for money reasons)? And what do you think about cases like e.g. turktrust, where it was known that they forge certificates, but Mozilla still decided to keep them, because they promised never to do again (which actually they did in the first place as well, when they've "passed" the audit)? Apart from that: How would one convince you? I mean below you said the effort of checking trustworthiness shouldn't be upon you (which is fine),... but even if there was some "proper" audit... it would be actually on you, since you'd have to check those documents. Or is trustworthiness defined by the CA being based in a "good" country, like Iceland? Or is it based on customers being required to pay money in order to get a cert? You see, all this is just the reason of why your approach to include "trustworthy" certs is wrong... just because the model of X.509 is broken,... I mean this is known for years by experts but only got attention in the recent years, when many examples proved how useless the hole system is. And as a matter of fact,.. the more CAs you include, the more useless it gets. And even things like EV certs don't really help, but just move the problem to the next level. Now you say you intent do only include trustworthy CAs, right? And thereby you kinda promise Debian users of the package... when you use trust certs from that you'll be fine. Failed. You include CNNIC (and more) => not trustworthy > Inverting the burden of proof, as it has happended far to often > in these CACert discussions, is unacceptable when talking about security. Well apparently you can't talk about security, ... if at all you talk about trustworthiness, but even that you can't guarantee... you rather just rely it on the good faith of Mozilla, which proves over and over again to fail in that area. > Please stop dragging other CAs around for comparison, every CA has to > prove trustworthiness on their own. Then the request should probably be to remove all the mozilla/* certs as well from the package, since those are similarly untrustworthy,... starting by all US-based CAs (due to them being ultimately controlled by the NSA, via national security letters) the Chinese based and those CAs which are known to have issued forged certificates for reasons of making money. > PS: Lastly, this is not an opinion poll. If your only contrib is a +/-1, > close your mail programm. Well obviously a maintainer is free to do what he wants (at least until the tech-ctte tells different),.. but this doesn't mean that he can forbid people to tell what they think. And as said,... right now ca-certificates is in a pretty useless state... it's merely another re-bundling of the mozilla certs + SPI,... and as long as it is like that, it would probably be better (and more up-to-date) to simply have a wrapper, that extracts the certs from the current NSS packages. I mean it's nice and appreciated that you spend effort on ca-certificates which was in a sleeping state for quite a while,... but you're approaching to it all the wrong way. And don't get me wrong,... it's not that I would consider CAcert particularly trustworthy, since 3 people can already forge any identity. But that's not worse than any of the commercial CAs where you can get the same for some 20-50$. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
