On Fri, 2014-03-14 at 11:22 +0100, Thomas R. Koll wrote: > Those certificates packaged by and copied over from Mozilla do fullfil their > policy which can be found here: > http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > > In the inclusion section your can find a lot of ways to get accepted by > Mozilla, > but CACert has failed to fullfil any of those. And to quote from their policy: > "The burden is on the CA to prove that it has met the above requirements.“ Well that's the "de jure" situation... the de facto situation is that there's only one thing that counts here: money
Just read up the case of Turktrust. And the funny part here: With the too-big-to-fail CAs like Verisign, Comodo, Thawrte... one can understand that Mozilla cannot really do much... but Turktrust is like... I mean has anyone ever seen a website with a cert signed by them? I didn't ... any my browser collects all certs ever seen. So they could have easily thrown them out, once they proved clearly to be evil,... but Mozilla choose rather the money than the "security" of their users. > But who knows, with CACert’s move from Australia to Germany we could > see some more action behind the efforts for an audit. Well even with a proper audit, you can't _trust_ CAcert more than you can now,... simply for the same reason that 3 people are already capable of forging any identity... At least for "email certs"... and with respect to server certs... the only "check" CAcert (as well as many commercial CAs - in their cheapest SSL "product") does is: sending an (unsecured) mail to an address in the whois for the domain. Absolutely stupid and insecure. There's the point... you can't really get any trust to all of these CAs. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
