> To be fair, Debian and other projects have even lower security standards. > > That is, they still mark CACert as secure for SSL in "stable" (how is that > not a security update relevant, even if fixed in Untable?!)
CACert is not nearly as bad as many of the CAs Mozilla actually considers to be trustworthy. It still has a pile of crap codebase and their auditing is very lacking, but at least you can see all the information on where they're going wrong and right. AFAIK, they haven't ever been hacked or issued any crazy invalid certs. They were removed because they weren't too big to fail and aren't willing or financially able to bribe their way through auditing. Why are Comodo, TurkTrust, CNNIC and others still in the trust database? It's money that matters, not security. It's a joke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
