Hi Heikki,
Heikki Toivonen wrote:
This is in reference to bug
https://bugzilla.osafoundation.org/show_bug.cgi?id=10660, a request to
include CAcert.org's root certificate with the default certificates that
Chandler ships with, but the issue is actually a policy issue we need to
decide first, before we can decide what to do with that bug.
Currently the Certificate inclusion policy is "ship with what Mozilla
ships with". The Mozilla CA certificate policy is explained in
http://www.mozilla.org/projects/security/certs/policy/.
I think the Mozilla policy is pretty good. Among other things, it relies
on well-known auditors to vet the quality of an organization that wants
its certificates included. Auditing is an important part in weeding out
incompetent and criminal organizations from endangering the security of
your SSL connections.
I definitely do not want to audit organizations, nor would I be able to
do a good job of it.
Personally I would like to maintain our current policy.
Another fair alternative I could see would be to modify Chandler to use
the platform cryptographic APIs and using the certificates the platforms
normally use. However, this would be a lot of work, and would need to be
customized for each platform, including each variant of an operating
system we wanted to support.
+1 in maintaining our current policy. What we should do though is put it
in writing somewhere on our site so that everybody knows what that
policy is all about. You here above writing seems to be a good start for
such a doc.
Cheers,
- Philippe
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Open Source Applications Foundation "chandler-dev" mailing list
http://lists.osafoundation.org/mailman/listinfo/chandler-dev
