On Mon, May 19, 2014 at 11:57 AM, Mikael Nordfeldth <[email protected]> wrote: > On Mon, 19 May 2014, 10:37:23 CEST, Simon Tennant <[email protected]> > wrote: > >> One problem I have noticed: >> >> - domains that use CACert certificates are problematic. >> >> Probably due to cacert being dropped from the trust chain. The site in >> question went to a different registrar and everything works now. > > Yes, it is very unfortunate that the TLS forcing comes immediately after the > mass removal of the only certificate provider who me and others use broadly. > It has become the perfect advertisement campaign for a broken, costly CA > system based on corporate trust rather than user trust. > > I have personally added the cacert.org root to my ca-certificates folder and > removed the blacklisting on systems where such a thing was added by the > package manager. > That will continue to be necessary for communicating with @hethane.se. > > I'd hope to see others do this too, or simply implement some sort of TOFU > policy which can understand new certs when they expire. Or are we all going > to put our trust in StartCom from now on? ;)
As mentioned earlier in this thread, this isn't the case, and whether people trust individual CAs or not is tangential. Today's change is to require encryption, not to do authentication with the provided certs. It seems much more likely that the CA in question is issuing certs that some software is unable to handle at all, as they're not being used for authentication. /K
