On Thu, 25 Sep 2008 00:10:12 +0200 Giuseppe Scrivano <[EMAIL PROTECTED]> wrote:
> In addition, CAcert.org, already used for https://savannah.gnu.org, > was added to the builtin root certificates. I'm very disappointed by this decision. Considering all the well-documented problems with CAcert.org, this seems like a very bad choice to be making. Just looking on CAcert.org's wiki, you can read some of the following pages to find copious amounts of information on why CAcert.org isn't ready to be used: * http://wiki.cacert.org/wiki/Audit -- Links to various other pages concerning CAcert.org's ongoing audit, especially their lack of a single completed audit * http://wiki.cacert.org/wiki/AuditToDo -- List of things left for CAcert.org's first audit to be completed; still a long ways to go until the audit is completed * http://wiki.cacert.org/wiki/PolicyDrafts -- Note the lack of set policies on how assurance is handled; how does one know that the certificates issued by CAcert.org for a domain were really bought by that domain if there's no set policy outlining how checks and validations are made? * http://wiki.cacert.org/wiki/InclusionStatus -- Links to several places that explain why CAcert.org isn't ready to be included; note the number of well-known browsers and operating systems who have yet to include CAcert.org because of CAcert.org's current ongoing issues and lack of a completed audit There is also time in CAcert.org's history for which the security of its root cannot be properly accounted. What would happen if indeed the private key of CAcert.org were to be leaked out? People could create SSL certificates for any domain they liked, and they would all be accepted by IceCat without any regards to their validity. Also, CAcert.org has issued both assured and unassured SSL certificates from the same root, which is insecure and highly not recommended. This is one of the main reasons Ubuntu refused to add CAcert.org's root back when it went through discussion in 2005. I'm not sure if CAcert.org is still issuing certificates this way, but just the fact that they have done it at some point in time is worrisome. I believe you're doing a disservice to IceCat's users by including a CA root that hasn't been properly vetted and whose root cannot be accounted for for long periods of time. Users put trust into their browser's CA root repository that the SSL certificates they encounter will have been properly vetted for a certain level of quality. By adding CAcert.org with other vetted roots, you lower the quality of the other roots in the browser's CA root repository, as users won't be able to know who exactly they can trust. If you're looking for free or cheap SSL certificates, CAcert.org isn't the only option out on the market. I do know that StartCom's StartSSL CA offers free class 1 DV SSL certificates, and there OV and EV certificates are fairly cheap, too. The StartSSL CA root has been properly vetted and audited, so it can be trusted just as much as a big name such as VeriSign. Once CAcert.org completes its first audit and meets the basic requirements of policies such as the Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/), then I'm sure you'll have no problem getting CAcert.org's root added to the repositories of many browsers and operating systems. Until then, I believe you should remove the root from IceCat so users can remain secure and regain the feeling of assurance that by going to a site over SSL, they are indeed visiting the actual site and not a site using a fraudulent SSL certificate. I hope you will take the above information with an open mind and do what is best for the safety and security of IceCat's userbase. ~reed -- Reed Loden - <[EMAIL PROTECTED]> / <[EMAIL PROTECTED]> The GNU Project [gnu.org] Free Software Foundation [fsf.org] -- http://gnuzilla.gnu.org