Source: nss Severity: important [ Same request as in #718434, but for NSS and not ca-certificates ] [ Discussion should best only happen in one bug, i.e. #718434, or ] [ maybe debian-security@l.d.o. ]
I'm wondering if Debian really should include CAcert.org root certificates: The CAcert.org root certificates are only included by a small number of vendors[1]. No major web browser (Mozilla, Chrome, IE, ...) includes them by default. [1] <http://wiki.cacert.org/InclusionStatus> CAcert.org itself has withdrawn its inclusion request into Mozilla's certificate list[2] until an audit is completed. I'm not sure where the current status is recorded, but [3] doesn't look too promising. [2] <https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158> [3] <http://wiki.cacert.org/AuditToDo> I'm also not sure how well they follow current recommendations. For example, Mozilla's CA requirements[4] include that "all new end-entity certificates must contain at least 20 bits of unpredictable random data (preferably in the serial number)" which I believe was introduces as a consequence of some attacks on CAs that relied on predictable serial numbers. CAcert.org doesn't seem to implement this, at least not in the serial number (not sure what other places to check). [4] <http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html> And last but not least: while CAcert.org publishes the source code of their system[5] (good), looking at it does not make me trust it (it causes the opposite effect)... [5] <http://www.cacert.org/src-lic.php> Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org