Hi all, Short introduction: I'm involved in CAcert as former board member and currently not holding any executive function. So not officially speaking, but I can provide some insight.
On Wed, Aug 11, 2021 at 02:50:27PM +0200, Axel Beckert wrote: > Timo Röhling wrote: > > * Axel Beckert <a...@debian.org> [2021-08-11 13:27]: > > > I strongly disagree. CAcert offers way more types of certificates than > > > Let's Encrypt. For example does Let's Encrypt not provide any > > > certificates suitable for use as personal S/MIME e-mail certificates. Regarding the general discussion: Server certificates for the public is no more a (near) target, as we have little resources and efforts to be accepted by vendors are huge. The main asset of the CAcert community is the web of trust with assurances, allowing personal certificates for email, although it's true that users need to install the root certificate. Not true is that we didn't bother to update the certificate on our main page. In reality, the work on critical systems here required multiple visits to the data center with cross-border travels, which is not easy these days for several reasons. By reading our blog you get an impression about what is going on: https://blog.cacert.org/ > > Have you tried creating a personal S/MIME e-mail certificate lately? > > Nope. > > > Because I tried, and neither IE nor Edge nor Firefox nor Chrome nor Opera > > support the required HTML <keygen> tag any more. Although this is slightly off-topic, this symptom illustrates that we have a large backlog after many years with few persons being active in development. Overall we gain momentum here, and also in other areas such as infrastructure. So one can expect progress in the future, likely seeing some small steps in the next months. Regarding certificate creation: * Providing a CSR created by other means is and ever was possible. Please follow "The manual way" here: https://wiki.cacert.org/EmailCertificates * A proof of concept about creating a CSR in the browser using a library exists, but this needs to be refined and will take some time to be publicly available. > > > But instead it offers longer living certificates for hosts not > > > directly reachable from the internet — which is a hell to achieve with > > > Let's Encrypt. > > > > Private hosts are usually managed with a private CA, which gives you > > much more control and versatility. > > Not everyone is capable of running their own CA. Have you every tried > "easyrsa"? It's anything but easy. (And I personally rather run an > internal CA based on CAcert's scripts — which I actually do — than on > easyrsa. Tried easyrsa mostly for OpenVPN and nearly ditched OpenVPN > just because they recommend this crap.) > > > Many companies do this, > > Yeah, and often with worse outcome than with CAcert... > > > and CAcert offers no advantage, since you'd still have to distribute > > their root certificates to all your clients. > > If it's available as a Debian package, that's a clear advantage from > my point of view. :-) Correct. This helps partners in signed/encrypted email conversions, because the trust can easily be installed by almost everyone, not only people which are interested and skilled in encryption. We'd love to have the package updated with the new class3 certificate and readded to Debian. > > > Again, I strongly disagree. I rather hope that Dmitry gets it back > > > into shape and then also offers it via bullseye-backports. > > > > Well, if you, Dmitry, or anyone else feels that their time is well > > spent on this package, by all means, go ahead. I just happen to > > think that your contributions would be more valuable elsewhere. > > I already have too many packages, so yes, I agree here. This though > does not change my opinion on this package (or on a lot of other > packages in Debian which I don't maintain, but consider important for > myself as well as the community in general). Does it help if I provide a patch? Kind regards, Gero
