On Thu, 5 Dec 2013, Alessandro Vesely wrote:
I find CAcert pretty useful, and it is handy to have their certificate
installed by default. From other contributions to this bug, it seems
their auditing, policies, or disclaimer have some issues.
Their code quality also has some issues, as described in this bug report,
which directly impacts their trustworthiness to sign only valid requests.
Can you quantify what you mean by "useful" and "handy"? If your specific
use case involves free SSL certificates, there are multiple other
providers of such things in the Mozilla-distributed root set, that are
linked to by the above ticket. Server admins who currently use CAcert will
find it more useful to switch to such a root, regardless of whether Debian
drops CAcert, because then their site's security can be verified on other
platforms.
If there are use cases for CAcert other than the fact that their
certificates are free-of-charge, I'd be curious to know that, but I'm
under the impression that that's basically the only driver these days, and
my arguments in this thread are mostly based on that.
From a practical POV, the incidents reported by THC[0] mention
different CAs, so I'd rather remove them than CAcert.
I believe all those roots were either removed from the Mozilla set, or
rekeyed. For what it's worth, I'd be happy to see Debian be _more_
conservative than Mozilla in what roots it includes, just not less.
Note that CAcert has not rekeyed after the security issue that Ansgar
found, and it's really the response to that issue (and lack of publicity)
more than the issue itself that makes me uncomfortable with them as a
default trusted root. Incidentally, that issue probably would have gotten
widespread attention if CAcert was in the Mozilla list... Debian doesn't
have the ability to generate the same sort of public outcry for roots that
it's locally including.
If anything, it should made clear[er] that there is no endorsement or
assumption of responsibility in distributing ca-certificates: Just like
any other package, it is done on a best-effort basis.
I actually do think that's the right policy for Debian, but in the form
that Debian should pass the trust questions off to an entity like Mozilla
who is willing to make those endorsements (since the only other real way
to make "no endorsement" clear is to make no roots trusted by default).
That's exactly what FreeBSD did:
http://www.freshports.org/security/ca-roots/
"The port is deprecated since it is not supported by the FreeBSD Security
Officer anymore. The reason for this is that the ca-roots port makes
promises with regard to CA verification which the current Security Officer
(and deputy) do not want to make.
"For people who need a general root certificate list see the
security/ca_root_ns, but note that the difference in guarantees with
regard to which CAs are included in ca_root_ns vs. ca-roots. The
ca_root_ns port basically makes no guarantees other than that the
certificates comes from the Mozilla project."
--
Geoffrey Thomas
http://ldpreload.com
geo...@ldpreload.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org