>>>>> Bas Wijnen <wij...@debian.org> writes:
>>>>> On Thu, Mar 13, 2014 at 01:03:23PM +0000, Michael Shuler wrote:
>> * No longer ship cacert.org certificates. Closes: #718434, LP:
>> #1258286
[…]
> Yes, I understand that CAcert's code and procedures are less secure
> than they should be. I don't care. First priority is to get the web
> encrypted. Trusted certificates is secondary. As long as browsers
> don't reasonably allow self-signed certificates, I think we should
> accept any and all certificates as trustworthy; certainly the ones
> from a community-driven CA. (As noted, the current selection doesn't
> seem to filter for security anyway.)
There’re two issues with that. First of all, accepting some
“random” certificates may give the users some false sense of
security. Then, I’d like to note that a compromised CA may very
well be used to issue an “example.com” certificate /even though/
example.com may already have a valid certificate from some other
(non-compromised) CA? And the TLS-enabled user agents generally
have no means to discern such “fake” certificate from the
“genuine” one. That is: the security of the Web is essentially
the security of /the least secure/ CA of those one trusts.
… That being said, could someone please remind me when Debian
has itself passed a security audit for the last time? Or,
scratch that, – when it was the last time the TLS-related Debian
binary packages were audited? (And sorry, “related” also means
the entire GNU toolchain – GCC, etc. – since you can’t really
trust a binary produced by a compromised compiler, can you?)
TIA.
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
