Geoffrey, I have security concerns about every CA in the list, not just CACert.
That notwithstanding, CACert has not proven to be "less crap" than any of the others that have, IMO, plenty of issues of their own. I don't buy the argument that a non-profit CA hasn't signed up and paid for consortium webtrust audits particularly a compelling argument that they are not secure (any more than I believe such things give me much trust in the other guys). Such audits are marketing tools, not security assurances. On Thu, Nov 14, 2013 at 10:56 AM, Geoffrey Thomas <[email protected]> wrote: > On Wed, 13 Nov 2013, Theo de Raadt wrote: > >>>> - There are allegedly licensing issues associated with redistributing >>>> the >>>> root. >>> >>> >>> It's really neither here nor there considering all the other issues, >>> but when you mentioned this I was expecting their terms to be totally >>> off the wall. >>> >>> http://www.cacert.org/policy/RootDistributionLicense.php >>> >>> That's actually pretty sane to me. Basically the BSD license. It is >>> true, however, that we aren't in compliance. Whether or not a root >>> cert can be copyrighted, that at least would be an easy problem to >>> rectify. But it's really the least of our concerns, I think. >> >> >> Well, I think it is bullshit. >> >> They are copyrighting a number created by a piece of software, wrapped >> inside a standardized container. >> >> I've got a file containing the number 1. Don't you dare... > > > Thanks for the replies. I mostly included the mention about licensing to > summarize the reasons that Debian (who are very conservative about > licensing) is talking of removing it, and I think it's relevant that one of > the more widely-used cert bundles that still includes CAcert is looking at > dropping it. I personally don't think the copyright claim is particularly > enforceable, but IANAL, and more importantly, as Ted said, it's pretty > irrelevant considering the other issues. > > Do you have thoughts on the security concerns about CAcert and whether it > makes sense for OpenBSD to trust by default? > > > -- > Geoffrey Thomas > http://ldpreload.com > [email protected]
