This is in reference to bug https://bugzilla.osafoundation.org/show_bug.cgi?id=10660, a request to include CAcert.org's root certificate with the default certificates that Chandler ships with, but the issue is actually a policy issue we need to decide first, before we can decide what to do with that bug.
Currently the Certificate inclusion policy is "ship with what Mozilla ships with". The Mozilla CA certificate policy is explained in http://www.mozilla.org/projects/security/certs/policy/. I think the Mozilla policy is pretty good. Among other things, it relies on well-known auditors to vet the quality of an organization that wants its certificates included. Auditing is an important part in weeding out incompetent and criminal organizations from endangering the security of your SSL connections. I definitely do not want to audit organizations, nor would I be able to do a good job of it. Personally I would like to maintain our current policy. Another fair alternative I could see would be to modify Chandler to use the platform cryptographic APIs and using the certificates the platforms normally use. However, this would be a lot of work, and would need to be customized for each platform, including each variant of an operating system we wanted to support. -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "chandler-dev" mailing list http://lists.osafoundation.org/mailman/listinfo/chandler-dev
