On Thu, Mar 13, 2014 at 01:03:23PM +0000, Michael Shuler wrote: > * No longer ship cacert.org certificates. Closes: #718434, LP: #1258286
I was not aware of this bug until my browser started refusing my cacert certificate at the latest upgrade. I see there has been a long discussion about this, and I've read a significant part of it. I understand the viewpoints, but have something to add which is currently missing from the discussion IMO: As you may be aware, Poul-Henning Kamp has been talking about browser security in this year's edition of FOSDEM[1][2]. One of the things he specifically mentioned was that it would be great if all web traffic was encrypted. And really, self-signed certificates are good enough! MITM attacks may happen, but will be extremely rare; the choice of encrypting vs not encrypting should be an easy one. However, we all know how all browsers scare everyone but the most persistent away from visiting a site which uses an untrusted certificate. Because of this, most of the web is still unencrypted: who wants to scare their users away? The other option is to get a certificate, which costs money. Except with CAcert. Because of this, CAcert is the best way to push websites in the direction of encrypting all websites. Sure it'd be better if Mozilla would accept them. It would be even better if Mozilla would stop screaming at the user when a self-signed certificate is encountered. But we, as Debian, don't have control over Mozilla. We can ask them, and they might listen. In the mean time, we can do our own part in making the web better. Yes, I understand that CAcert's code and procedures are less secure than they should be. I don't care. First priority is to get the web encrypted. Trusted certificates is secondary. As long as browsers don't reasonably allow self-signed certificates, I think we should accept any and all certificates as trustworthy; certainly the ones from a community-driven CA. (As noted, the current selection doesn't seem to filter for security anyway.) Thanks, Bas [1] https://fosdem.org/2014/schedule/event/nsa_operation_orchestra/ [2] http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm
signature.asc
Description: Digital signature
