John A. Martin wrote:
No, I am objecting to the inclusion of a CA that hasn't passed the audit.The last item at <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350282> looks like active opposition to adding the CAcert class3 certificate in the Debian ca-certificates package.,----[ Excerpt: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350282> ] | From: Alaric Dailey <[EMAIL PROTECTED]> | To: [EMAIL PROTECTED] | Subject: CAcerts inclusion | Date: Wed, 24 May 2006 06:50:09 -0500 | | [Message part 1 (text/plain, inline)] | | Free is not a requirement for a CA. | | CAcert has yet to pass their audit. I used to have faith that they were | simply short of money and that is why their audit hasn't been done, but... | | Anyhow, I submit that no CA root certificate should be accepted, free or | not, until they have passed a "WebTrust" compatible audit. | | [smime.p7s (application/x-pkcs7-signature, attachment)] `----
AFAIK - Still looking for someone to do the audit, but since you
decided to post to the CAcert list, I am sure you will get lots of
specific answers.
Thawte, GeoTrust, GlobalSign, Comodo to name but a few, pick a CA, and
poke around the site for the "WebTrust" seal. If they don't have one,
and they are in the browsers then they have had the equivalent audit
done. Most important browser vendors require certification authorities
to have been audited by a third party auditor as you can see for
example here:http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html http://www.microsoft.com/technet/archive/security/news/rootcert.mspx http://www.apple.com/certificateauthority/ca_program.html
See my above answer.
Most CA's also post their audit reports at their web site, but you can get quite a few from here: http://www.hecker.org/mozilla/ca-certificate-list
I don't know, ask the responsible person at Debian. However including or having included CA certificates on the basis of the noted criteria: "get 2 or 3 recommendation ("seconded" mail) from other people to the bug report" can't be even considered a good joke!
this
and thisAnybody can send mail, preferably GPG signed, to <[EMAIL PROTECTED]> and it will be part of the record. IMHO something coming from an address @cacert.org would carry more weight. Why? That's exactly the problem....you may be including a dangerous Trojan horse without even verifying the most basic aspects of a certification authority....Anybody can bring a few friends, setup a disposable domain and run a CA. Just because someone is running a CA and has made it public, that doesn't mean it should be trusted. I know that there is a test CA that was made public, it just for test, no one SHOULD trust it for site validity, it hasn't been secured, nor has it been checked to see if even basic validation is being done, but according to what you are saying 2 of my friends and I could get it added to Debian, that is scary. As for an address from @cacert.org, it doesn't take ANY skill to fake an email address. Most servers STILL don't supporting SPF, even fewer treat failures of types "?" and "~" as hard failures, this makes email spoofing absolutely trivial, that is why phishing emails get thru. And GPG signing? Ooooo boy, who checks key ownership, what makes gpg trustworthy, its trivial to create a pgp/gpg key that says I am anyone, President Bush, Jennifer Lopez, Duane, anyone. And we won't even go into the GPG signature bug. |
smime.p7s
Description: S/MIME Cryptographic Signature
