Re: ca-certificates: no more cacert.org certificates?!?
previously on this list Bas Wijnen contributed: On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote: I think at Debian we all agree that it would be a good thing if everything would be encrypted, so this is a very bad outcome. I beg to differ I'm afraid. SSL should be used where it is required otherwise you are opening the server upto DOS and as it is more complex, bugs and exploits not to mention greater memory and cpu usage in similar fashion to systemd. That's a valid point. I think all connections should be encrypted, unless the server admin knowingly disables the encryption. Does that sound better? What I would like to see, is that if someone new to making websites tries something, they will be using encrypted connections. And if they start asking people to fill out personal data, they don't need to do anything extra to make sure it works right. Sorry but I still have to disagree as this shouldn't really but certainly does still increase the chances of someone submitting data to a site that doesn't care about the security of that data or have the ability to look after it. OTOH it would prevent wordpress logins being stolen so easily and ISPs snooping, however I believe in solving specific problems not swapping problems around, what do you know again like systemd due to it's multi functional design or rather lack of it;-) -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/991243.53700...@smtp120.mail.ir2.yahoo.com
Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote: I think they are constrained by the browser market; if they add annoying popups and other browser vendors don't then they will probably lose market share. This is the fundamental problem with web security; the wider user population wants things to 'work', anything that gets in the way tends ... not to get implemented. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6fmpxy-ymumkb0juu2wwobo3wurotj3ud7tytxvu-m...@mail.gmail.com
RE: ca-certificates: no more cacert.org certificates?!?
Where do get the idea cacert uses popup's ? The only things states in RDL that user has to be informed about the copyright -Oorspronkelijk bericht- Van: paul.is.w...@gmail.com [mailto:paul.is.w...@gmail.com] Namens Paul Wise Verzonden: woensdag 2 april 2014 08:47 Aan: debian-devel@lists.debian.org Onderwerp: Re: ca-certificates: no more cacert.org certificates?!? On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote: I think they are constrained by the browser market; if they add annoying popups and other browser vendors don't then they will probably lose market share. This is the fundamental problem with web security; the wider user population wants things to 'work', anything that gets in the way tends ... not to get implemented. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6fmpxy-ymumkb0juu2wwobo3wurotj3ud7tytxvu-m...@mail.gmail.com
Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 02, 2014 at 09:43:34AM +, Bas van den Dikkenberg wrote: Where do get the idea cacert uses popup's ? The only things states in RDL that user has to be informed about the copyright Read the previous post, and please avoid top-posting. This post is turning out weirdly because of that. I've added some more context to the quote below to make it more obvious what his response was to. -Oorspronkelijk bericht- Van: paul.is.w...@gmail.com [mailto:paul.is.w...@gmail.com] Namens Paul Wise Verzonden: woensdag 2 april 2014 08:47 Aan: debian-devel@lists.debian.org Onderwerp: Re: ca-certificates: no more cacert.org certificates?!? On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote: I've also asked Mozilla to give plain HTTP connections at least as much warnings as self-signed certificates (which would probably mean no warnings for either of them), but I don't think they'll listen. I think they are constrained by the browser market; if they add annoying popups and other browser vendors don't then they will probably lose market share. This is the fundamental problem with web security; the wider user population wants things to 'work', anything that gets in the way tends ... not to get implemented. -- Kind regards, Loong Jin signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
Hi, Paul Wise: Encrypted and unencrypted connections are equivalent because anyone who is on your network path (or can manipulate DNS or BGP) can MITM the connection. Somebody could passively log the connection for later analysis. Your argument does not hold for this case. -- -- Matthias Urlichs signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 2, 2014 at 6:09 PM, Matthias Urlichs wrote: Somebody could passively log the connection for later analysis. Your argument does not hold for this case. I don't have an argument, I'm saying that Snowden revealed that global active adversaries like the NSA and GCHQ have been doing this for a while. Logging ciphertext via passive MITM and breaking endpoint security to defeat encryption globally. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6g1_mqbuqxs+wdvgljzyeaxbdc1stnj6hzt2b6aj_7...@mail.gmail.com
Re: ca-certificates: no more cacert.org certificates?!?
On 04/02/2014 04:43 AM, Bas van den Dikkenberg wrote: The only things states in RDL that user has to be informed about the copyright I find this, perhaps, the most interesting and on-topic comment in this thread. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/533c81d5.3060...@pbandjelly.org
Re: ca-certificates: no more cacert.org certificates?!?
On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org wrote: Of course, I'm one of those people who believes that web site certificate signatures as currently implemented, with the level of vetting that's actually done by commercial CAs in practice, are more of an extortion racket than a security measure. I have to agree on that. But a Startcom Certificate on a personal web site is one web site more that doesn't train users to blindly click away certificate warnings. A cacert certificate or a self-signed certificate on a personal web site is one web site more that does that kind of training. Grüße Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wuszb-0007bm...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
Marc Haber mh+debian-de...@zugschlus.de writes: On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org wrote: Of course, I'm one of those people who believes that web site certificate signatures as currently implemented, with the level of vetting that's actually done by commercial CAs in practice, are more of an extortion racket than a security measure. I have to agree on that. But a Startcom Certificate on a personal web site is one web site more that doesn't train users to blindly click away certificate warnings. A cacert certificate or a self-signed certificate on a personal web site is one web site more that does that kind of training. Do you really think that the content on a Startcom certificated site is more likely to be trustworthy than an CAcert certificated site? I think the real problem here is the user interface asking one to trust a site (forever, unless you're concentrating) at a point where you really don't care because all you're interested in is seeing the cute picture of an otter on someone's blog. If browsers treated all new certificates with suspicion, limiting the things that could be done in javascript, and not allowing forms to be filled in, say, and then when you decided that you wanted to offer the site some trust (because you want to fill in your credit card on the https://amazon-really-it-is.mafia.biz/ site) the browser could then guide you toward some checks that you might want to perform before continuing, and because you've got a credit card n your hand you might be vaguely interested at that point. Anyway, can we not just have a cacert-certificates package, and then people like me, who use cacert, could decide to trust them easily on my machines at least? If we instead do things that make it harder for even Free Software enthusiasts to use something like CAcert, then the slim chance that CAcert might eventually become properly useful gets even slimmer. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/ |-| HANDS.COM Ltd.http://ftp.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND pgpAystKr6qOU.pgp Description: PGP signature
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote: I think the real problem here is the user interface asking one to trust a site (forever, unless you're concentrating) at a point where you really don't care because all you're interested in is seeing the cute picture of an otter on someone's blog. Indeed, the browser vendors basically fell for the NSA's social engineering and put up scary warnings for a situation that is approximately equivalent to plain unencrypted HTTP, which they treat as all fine and good. If browsers treated all new certificates with suspicion, limiting the things that could be done in javascript, and not allowing forms to be filled in, say, and then when you decided that you wanted to offer the site some trust (because you want to fill in your credit card on the https://amazon-really-it-is.mafia.biz/ site) the browser could then guide you toward some checks that you might want to perform before continuing, and because you've got a credit card n your hand you might be vaguely interested at that point. They don't even do that stuff for plain unencrypted HTTP so it is unlikely they would for self-signed or unknown-ca HTTPS connections. Anyway, can we not just have a cacert-certificates package, and then people like me, who use cacert, could decide to trust them easily on my machines at least? If we instead do things that make it harder for even Free Software enthusiasts to use something like CAcert, then the slim chance that CAcert might eventually become properly useful gets even slimmer. From the discussion on #debian-security it sounds like what will happen is either a ca-certificates-cacert package or adding cacert.org to ca-certificates but disabled by default. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6et5cbxheabmfmw4fcv+mfkpto21oo6upm9yyk+br0...@mail.gmail.com
Re: ca-certificates: no more cacert.org certificates?!?
Hi, On Dienstag, 1. April 2014, Marc Haber wrote: I have to agree on that. But a Startcom Certificate on a personal web site is one web site more that doesn't train users to blindly click away certificate warnings. A cacert certificate or a self-signed certificate on a personal web site is one web site more that does that kind of training. so what? SSL is broken by design, trusting anything based on an SSL certificate is foolish at best. any CA (of which there are hundreds enabled in browsers and system libraries by default) can sign any certificate and most (all?) tools won't complain/detect this. so in a way, training not to trust these certs is the best one can do :) cheers, Holger, who wishes banks would push gpg monkeysphere for https signature.asc Description: This is a digitally signed message part.
Re: ca-certificates: no more cacert.org certificates?!?
previously on this list people contributed: I still don't see why we penalize Debian users for the fact that _other_ operating systems don't include the cacert certificate Seems illogical to me we need more free CAs not less and I do agree about the extortionism especially on EV. If a web designer only tests if one browser works on one OS without a chaining issue then does he really care and is he a fool that needs teaching anyhow. I have to agree on that. But a Startcom Certificate on a personal web site is one web site more that doesn't train users to blindly click away certificate warnings. A cacert certificate or a self-signed certificate on a personal web site is one web site more that does that kind of training. Or to check if they are on the right domain? Xombrero caching of cert changes and warnings is useful in the terrible climate for those who know what to check. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/169118.38101...@smtp132.mail.ir2.yahoo.com
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote: I think the real problem here is the user interface asking one to trust a site (forever, unless you're concentrating) at a point where you really don't care because all you're interested in is seeing the cute picture of an otter on someone's blog. Yes. And the fact that making your blog use an encrypted connection causes either scary warnings for all your visitors, or a lot of hassle trying to find a CA who is slightly less extorting than the others, leads to the result that most people give it up and don't use encryption on their blog. I think at Debian we all agree that it would be a good thing if everything would be encrypted, so this is a very bad outcome. If browsers treated all new certificates with suspicion, limiting the things that could be done in javascript, and not allowing forms to be filled in, say, and then when you decided that you wanted to offer the site some trust (because you want to fill in your credit card on the https://amazon-really-it-is.mafia.biz/ site) the browser could then guide you toward some checks that you might want to perform before continuing, and because you've got a credit card n your hand you might be vaguely interested at that point. But what does that accomplish? Having a signature from one of the many CAs on the key doesn't really prove anything. It certainly doesn't mean they're going to be careful with your money. On Tue, Apr 01, 2014 at 06:30:11PM +0800, Paul Wise wrote: On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote: I think the real problem here is the user interface asking one to trust a site (forever, unless you're concentrating) at a point where you really don't care because all you're interested in is seeing the cute picture of an otter on someone's blog. Indeed, the browser vendors basically fell for the NSA's social engineering and put up scary warnings for a situation that is approximately equivalent to plain unencrypted HTTP, which they treat as all fine and good. It's not at all equivalent. When using (good) encryption, the only thing left to worry about is man in the middle attacks. Even when someone is actively performing a man in the middle attack on you, your data is _still_ more secure than a plain text connection, because while the person doing the attack can read your data, the rest of the world still can't. Of course the person doing the attack is probably more of a problem than the rest of the world, but he could read your data if it was unencrypted as well. An unencrypted connection is readable to everyone; an encrypted connection is readable to those in a position to alter your packets. And when they use it, it is detectable (which doesn't imply it is detected, but it probably would be if an organization like the NSA would start doing it on a really large scale). There are three problems to solve: first, you need to know that you're talking to the right person. Second, you need to make sure only that person can read your packets, and third, you need to know that that person is not evil. CAs try (but fail) to solve the first point only. They are however treated by many people as if they solve all three. The second point is already solved and it works just fine. The only problem is that browsers scare away all visitors when you use a self-signed certificate, or one from a CA that isn't recognized. Anyway, can we not just have a cacert-certificates package, and then people like me, who use cacert, could decide to trust them easily on my machines at least? If we instead do things that make it harder for even Free Software enthusiasts to use something like CAcert, then the slim chance that CAcert might eventually become properly useful gets even slimmer. From the discussion on #debian-security it sounds like what will happen is either a ca-certificates-cacert package or adding cacert.org to ca-certificates but disabled by default. Hmm, I would hope for a ca-certificates-cacert package then. If I have to, I want to explain people that they need to install this; I don't want to explain them how to enable certificates. Encryption is one of those things which should work by default, and any extra required step to make it possible is a bad thing. I've also asked Mozilla to give plain HTTP connections at least as much warnings as self-signed certificates (which would probably mean no warnings for either of them), but I don't think they'll listen. Thanks, Bas signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, 01 Apr 2014 11:04:43 +0100, Philip Hands p...@hands.com wrote: Marc Haber mh+debian-de...@zugschlus.de writes: On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery r...@debian.org wrote: Of course, I'm one of those people who believes that web site certificate signatures as currently implemented, with the level of vetting that's actually done by commercial CAs in practice, are more of an extortion racket than a security measure. I have to agree on that. But a Startcom Certificate on a personal web site is one web site more that doesn't train users to blindly click away certificate warnings. A cacert certificate or a self-signed certificate on a personal web site is one web site more that does that kind of training. Do you really think that the content on a Startcom certificated site is more likely to be trustworthy than an CAcert certificated site? No. I have nothing to add to Paul's explanation. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wv5s4-0004ic...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
previously on this list Bas Wijnen contributed: From: Bas Wijnen wij...@debian.org To: debian-devel@lists.debian.org Subject: Re: ca-certificates: no more cacert.org certificates?!? Date: Tue, 1 Apr 2014 22:22:12 +0200 User-Agent: Mutt/1.5.21 (2010-09-15) On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote: I think the real problem here is the user interface asking one to trust a site (forever, unless you're concentrating) at a point where you really don't care because all you're interested in is seeing the cute picture of an otter on someone's blog. Yes. And the fact that making your blog use an encrypted connection causes either scary warnings for all your visitors, or a lot of hassle trying to find a CA who is slightly less extorting than the others, leads to the result that most people give it up and don't use encryption on their blog. I agree I think at Debian we all agree that it would be a good thing if everything would be encrypted, so this is a very bad outcome. I beg to differ I'm afraid. SSL should be used where it is required otherwise you are opening the server upto DOS and as it is more complex, bugs and exploits not to mention greater memory and cpu usage in similar fashion to systemd. I've also asked Mozilla to give plain HTTP connections at least as much warnings as self-signed certificates (which would probably mean no warnings for either of them), but I don't think they'll listen. What have you asked them exactly. I believe glaring warnings should be removed from self-signed and green bars removed completely for EV certs but you should be asked to check the fingerprint for self-signed and the browser should cache the cert and warn of changes in all cases though that would scare the uninitiated at first??? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ I have no idea why RTFM is used so aggressively on LINUX mailing lists because whilst 'apropos' is traditionally the most powerful command on Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool to help psychopaths learn to control their anger. (Kevin Chadwick) ___ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/616880.64104...@smtp144.mail.ir2.yahoo.com
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote: I think at Debian we all agree that it would be a good thing if everything would be encrypted, so this is a very bad outcome. I beg to differ I'm afraid. SSL should be used where it is required otherwise you are opening the server upto DOS and as it is more complex, bugs and exploits not to mention greater memory and cpu usage in similar fashion to systemd. That's a valid point. I think all connections should be encrypted, unless the server admin knowingly disables the encryption. Does that sound better? What I would like to see, is that if someone new to making websites tries something, they will be using encrypted connections. And if they start asking people to fill out personal data, they don't need to do anything extra to make sure it works right. I've also asked Mozilla to give plain HTTP connections at least as much warnings as self-signed certificates (which would probably mean no warnings for either of them), but I don't think they'll listen. What have you asked them exactly. https://bugzilla.mozilla.org/show_bug.cgi?id=566008#c12 I believe glaring warnings should be removed from self-signed and green bars removed completely for EV certs but you should be asked to check the fingerprint for self-signed and the browser should cache the cert and warn of changes in all cases though that would scare the uninitiated at first??? I think from a usability perspective, normal browsing, including self-signed certificates, should just work without any messages. But I gladly leave the details to the browser developers. There is one thing I would like them to do, and that is scare users more towards encrypted connections than away from them. I don't think any scaring is required, but if they are going to scare people for self-signed certificates, they should scare them even more for unencrypted connections. Thanks, Bas signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
On Wed, Apr 2, 2014 at 4:22 AM, Bas Wijnen wrote: It's not at all equivalent. When using (good) encryption, the only thing left to worry about is man in the middle attacks. Even when someone is actively performing a man in the middle attack on you, your data is _still_ more secure than a plain text connection, because while the person doing the attack can read your data, the rest of the world still can't. Of course the person doing the attack is probably more of a problem than the rest of the world, but he could read your data if it was unencrypted as well. An unencrypted connection is readable to everyone; an encrypted connection is readable to those in a position to alter your packets. And when they use it, it is detectable (which doesn't imply it is detected, but it probably would be if an organization like the NSA would start doing it on a really large scale). Encrypted and unencrypted connections are equivalent because anyone who is on your network path (or can manipulate DNS or BGP) can MITM the connection. The MITM could be active or passive in either case, encryption pushes more attacks to the active side but either is still feasible. The NSA just does things like log all ciphertext for years and then break endpoint security. Forward secrecy hasn't been in focus until the recent NSA revelations really. There are three problems to solve: first, you need to know that you're talking to the right person. Second, you need to make sure only that person can read your packets, and third, you need to know that that person is not evil. CAs try (but fail) to solve the first point only. They are however treated by many people as if they solve all three. Fourth, you need to know that the person will never subject to an authority that could be evil at any point in time. Hmm, I would hope for a ca-certificates-cacert package then. If I have to, I want to explain people that they need to install this; I don't want to explain them how to enable certificates. Encryption is one of those things which should work by default, and any extra required step to make it possible is a bad thing. I mentioned this point on IRC during the discussion. I've also asked Mozilla to give plain HTTP connections at least as much warnings as self-signed certificates (which would probably mean no warnings for either of them), but I don't think they'll listen. I think they are constrained by the browser market; if they add annoying popups and other browser vendors don't then they will probably lose market share. This is the fundamental problem with web security; the wider user population wants things to 'work', anything that gets in the way tends -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6FDijKX_ytQhj9d_=tqT=y_jlaq2cjtb_xoste7wfw...@mail.gmail.com
Re: ca-certificates: no more cacert.org certificates?!?
On Mar 31, Brian May br...@microcomaustralia.com.au wrote: On the other hand, getting back on topic, cacert.org offers you certificates free, and for any purpose, which is why it is much better then any of the other free alternatives (I only know one free alternative). And they are about as useful as self-signed ones, as we know. -- ciao, Marco signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
On Mon, 31 Mar 2014 09:24:29 +1100, Brian May br...@microcomaustralia.com.au wrote: On the other hand, getting back on topic, cacert.org offers you certificates free, and for any purpose, which is why it is much better then any of the other free alternatives (I only know one free alternative). cacert.org is unuseable if you offer your web site to muggles. It's not in the browsers. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wugdq-0001ao...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote: cacert.org is unuseable if you offer your web site to muggles. It's not in the browsers. Not sure what you mean. cacert.org is unusable at the moment because it isn't included in the browsers. Which is the problem we were discussing in this thread. -- Brian May br...@microcomaustralia.com.au
Re: ca-certificates: no more cacert.org certificates?!?
Brian May br...@microcomaustralia.com.au writes: On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote: cacert.org is unuseable if you offer your web site to muggles. It's not in the browsers. Not sure what you mean. cacert.org is unusable at the moment because it isn't included in the browsers. Which is the problem we were discussing in this thread. But nothing Debian does one way or the other is going to get cacert.org's root certificates into the general end-user browsers. So that's a reality that we're going to have to continue to live with. Given that reality, it's not clear to me that cacert.org certificates really have much of an advantage for most use cases over self-signed certificates. Of course, I'm one of those people who believes that web site certificate signatures as currently implemented, with the level of vetting that's actually done by commercial CAs in practice, are more of an extortion racket than a security measure. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ha6edl8d@windlord.stanford.edu
Re: ca-certificates: no more cacert.org certificates?!?
Hi, On Mon, Mar 31, 2014 at 04:03:30PM -0700, Russ Allbery wrote: Brian May br...@microcomaustralia.com.au writes: On 1 April 2014 04:42, Marc Haber mh+debian-de...@zugschlus.de wrote: cacert.org is unuseable if you offer your web site to muggles. It's not in the browsers. Not sure what you mean. cacert.org is unusable at the moment because it isn't included in the browsers. Which is the problem we were discussing in this thread. But nothing Debian does one way or the other is going to get cacert.org's root certificates into the general end-user browsers. So that's a reality that we're going to have to continue to live with. Given that reality, it's not clear to me that cacert.org certificates really have much of an advantage for most use cases over self-signed certificates. AFAIK in Debian we currently don't offer a simple way to run your own CA with a webgui, autoreminder of expiry, etc. Having Cacert in ca-certificates was a great way to cater for that without any extra setup hazzle. I still don't see why we penalize Debian users for the fact that _other_ operating systems don't include the cacert certificate. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140401052045.ga2...@bogon.m.sigxcpu.org
Re: ca-certificates: no more cacert.org certificates?!?
On Sun, 30 Mar 2014 10:26:28 +1100, Brian May br...@microcomaustralia.com.au wrote: On 29 March 2014 18:10, Marc Haber mh+debian-de...@zugschlus.de wrote: My last renew of a startcom certificate was in February 2014. I guess you were victim of misunderstanding, or they indeed check what kind of service a certificate is used for and decide whether to continue to offer the certificate for this particular service for free or not. If you look up their policies (there is a pdf file somewhere), they say that the class 1 certificates (the free certificates) are only to be used for non-commercial websites. At quick glance, I couldn't find any definition of what non-commercial means. I find this somewhat a fair deal. If you make money from your web site, you should pay for the certificate. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wu9cm-0003tw...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
On 30 March 2014 17:26, Marc Haber mh+debian-de...@zugschlus.de wrote: I find this somewhat a fair deal. If you make money from your web site, you should pay for the certificate. Where do you draw the line? Does a commercial company hosting a website, say for documentation for a commercial product count at a per profit website? Also, startcom seems to be offline a lot lately, as I previously mentioned before. A bit poor if you have to pay for such bad service. The actual wording, from http://www.startssl.com/policy.pdf is: 3.1.2.1 Class 1 Certificates provide modest assurances that the email originated from a sender with the specified email address or that the domain address belongs to the respective server address. These certificates provide no proof of the identity of the subscriber or of the organization. Class 1 certificates are limited to client and server certificates, whereas the later is restricted in its usage for non-commercial purpose only. Subscribers MUST upgrade to Class 2 or higher level for any domain and site of commercial nature, when using high-profile brands and names or if involved in obtaining or relaying sensitive information such as health records, financial details, personal information etc. What does commercial in nature mean? If I run a website as a hobby, and have Google ads on it, does it count as a website of commercial nature? Does this mean if I setup a website giving helpful hints for Microsoft Windows (a high profile brand), I cannot use a class 1 certificate? Not exactly like I would expect to get any money from it. They haven't really defined what they mean, and I think that is a big problem. On the other hand, getting back on topic, cacert.org offers you certificates free, and for any purpose, which is why it is much better then any of the other free alternatives (I only know one free alternative). I don't understand what is going on behind the scenes, however from my perspective (which may or may not be correct) it appears that every time cacert.org is about to get somewhere with getting their CA included with my browsers, they keep getting more and more road blocks put in their way. Road blocks that other, more established commercial CA's don't have to worry about. As such, any statements that say cacert.org is not needed because we have startcom, are incorrect. -- Brian May br...@microcomaustralia.com.au
Re: ca-certificates: no more cacert.org certificates?!?
On Wed, 26 Mar 2014 14:32:49 +1100, Dmitry Smirnov only...@debian.org wrote: On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote: only...@debian.org wrote: I just want to note that Startcom is no match to cacert.org in regards to free SSL certificates. Some years ago I got free certificate from Startcom but a year later Startcom refused to renew it for free. They renew their certificates only in the last (two?) weeks of the lifetime. You cannot renew them ad your convenience, you have to do it at theirs. It had nothing to do with timing. I got usual email notice renew your certificate before it expire, submitted renewal request and got Certificate Declined response. When I asked why they explained that Class 1 certificates are not meant to be used for e-commerce despite that it was not a problem when they issued original certificate one year prior to that. They refused to renew certificate in January 2011 so my guess is that they've changed their policy some time in 2010... My last renew of a startcom certificate was in February 2014. I guess you were victim of misunderstanding, or they indeed check what kind of service a certificate is used for and decide whether to continue to offer the certificate for this particular service for free or not. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wtnpj-00036g...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
On 29 March 2014 18:10, Marc Haber mh+debian-de...@zugschlus.de wrote: My last renew of a startcom certificate was in February 2014. I guess you were victim of misunderstanding, or they indeed check what kind of service a certificate is used for and decide whether to continue to offer the certificate for this particular service for free or not. If you look up their policies (there is a pdf file somewhere), they say that the class 1 certificates (the free certificates) are only to be used for non-commercial websites. At quick glance, I couldn't find any definition of what non-commercial means. I wanted to quote the actual text, but instead get Weekend Maintenance: Some of our services are offline and under maintenance at weekends until 7:00 AM GMT. We apologize for the temporary inconvenience and thank you for your understanding. This basically means they are always offline when I need them the most, at least for my personal servers :-( -- Brian May br...@microcomaustralia.com.au
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, 25 Mar 2014, Wouter Verhelst wrote: Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed standard in August 2012[1]. And DNS servers haven't support for them since recently (I'd say 6 months to 1 year). DNS servers have supported them for years; RFC3597 is over a decade old by now. RFC3597 does not specify TLSA records, it only specifies how DNS servers should handle RRs with unknown (to them) RDATA format. It is essential to allow new features to be propagated over the DNS network, but it does not necessarily implement TLSA at the signing zone -- and that, apart from widespread user agent support, is a pretty critical prerequisite for actually starting to use DANE. The claim was that DNS servers didn't support it. All you need is RFC3597 support to add TLSA records to your zone. e.g.: } _443._tcp.www.debian.org. IN TYPE52 \# 35 03010124b4287bf05f884f844373ac21f5afd3f74a31881c907c1e2712248e7ade9ab1 -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140325065627.gt1...@anguilla.noreply.org
Re: ca-certificates: no more cacert.org certificates?!?
Edward Allcutt wrote: Le 24/03/2014 14:23, Raphael Geissert a écrit : If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html I believe you are mistaken. That blog post is about Google's own design for DNSSEC stapled certificates . Not DANE. Yes, my bad. The actual reference for DANE is: https://www.imperialviolet.org/2012/10/20/dane-stapled-certificates.html Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/lgrjvk$bvb$1...@ger.gmane.org
Re: ca-certificates: no more cacert.org certificates?!?
On Mon, 24 Mar 2014 12:22:53 +1100, Dmitry Smirnov only...@debian.org wrote: I just want to note that Startcom is no match to cacert.org in regards to free SSL certificates. Some years ago I got free certificate from Startcom but a year later Startcom refused to renew it for free. They renew their certificates only in the last (two?) weeks of the lifetime. You cannot renew them ad your convenience, you have to do it at theirs. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1wsslo-0008mk...@swivel.zugschlus.de
Re: ca-certificates: no more cacert.org certificates?!?
Marc Haber mh+debian-de...@zugschlus.de (2014-03-25): They renew their certificates only in the last (two?) weeks of the lifetime. Correct, two weeks. Mraw, KiBi. signature.asc Description: Digital signature
Re: ca-certificates: no more cacert.org certificates?!?
On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote: only...@debian.org wrote: I just want to note that Startcom is no match to cacert.org in regards to free SSL certificates. Some years ago I got free certificate from Startcom but a year later Startcom refused to renew it for free. They renew their certificates only in the last (two?) weeks of the lifetime. You cannot renew them ad your convenience, you have to do it at theirs. It had nothing to do with timing. I got usual email notice renew your certificate before it expire, submitted renewal request and got Certificate Declined response. When I asked why they explained that Class 1 certificates are not meant to be used for e-commerce despite that it was not a problem when they issued original certificate one year prior to that. They refused to renew certificate in January 2011 so my guess is that they've changed their policy some time in 2010... -- All the best, Dmitry Smirnov GPG key : 4096R/53968D1B signature.asc Description: This is a digitally signed message part.
Re: ca-certificates: no more cacert.org certificates?!?
Marco d'Itri wrote: I suggest that anybody who wants to partecipate to this debate should clarify if their goal is: - choosing appropriate defaults for the general population of our users - taking a stand against the PKI system As a co-maintainer, any email that falls in the second category is a complete waste of my time. ca-certificates is not trying, nor is the place, to solve the problems of the PKI system. Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/lgpbl0$ncd$1...@ger.gmane.org
Re: ca-certificates: no more cacert.org certificates?!?
Le 24/03/2014 14:23, Raphael Geissert a écrit : Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed standard in August 2012[1]. And DNS servers haven't support for them since recently (I'd say 6 months to 1 year). If I understood correctly, Chromium/Google Chrome only supported DNSSEC validation. The issue with that kind of protocol is that you must trust your resolver, or have a resolver on your machine, bypassing any existing resolver cache of your network provider. However, I'm using DNSSEC Validator[2] on Firefox for quite a long time, and I'm very happy with it. I'll be glad to see it merged, so that we can really get rid of those EV x509 certificates, and be able to provide secure self-hosting solutions for everyone without big scary warnings. [1]http://tools.ietf.org/html/rfc6698 [2]https://www.dnssec-validator.cz/ Have a good day, Adrien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53303829.4020...@antipoul.fr
Re: ca-certificates: no more cacert.org certificates?!?
On Mon, 24 Mar 2014, Adrien CLERC wrote: Le 24/03/2014 14:23, Raphael Geissert a écrit : Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed standard in August 2012[1]. And DNS servers haven't support for them since recently (I'd say 6 months to 1 year). DNS servers have supported them for years; RFC3597 is over a decade old by now. The issue with that kind of protocol is that you must trust your resolver, or have a resolver on your machine, bypassing any existing resolver cache of your network provider. A local validating resolver is not incompatible with using your provider's recursor (if you actually believe that buys you anything). -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `-http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140324135855.gn1...@anguilla.noreply.org
Re: ca-certificates: no more cacert.org certificates?!?
Le 24/03/2014 14:23, Raphael Geissert a écrit : Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html I believe you are mistaken. That blog post is about Google's own design for DNSSEC stapled certificates . Not DANE. On Mon, 24 Mar 2014, Peter Palfrader wrote: DNS servers have supported them for years; RFC3597 is over a decade old by now. TLSA records were defined by RFC6698, which was issued in August 2012. -- Edward Allcutt
Re: ca-certificates: no more cacert.org certificates?!?
Le 24/03/2014 22:18, Edward Allcutt a écrit : I believe you are mistaken. That blog post is about Google's own design for DNSSEC stapled certificates . Not DANE. I figured it out after a more careful reading. I forgot about this trial from Google, that was obviously not used enough to be useful. DANE is not really used yet, but I think it is easier to setup. Adrien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5330a4d8.7020...@antipoul.fr
Re: ca-certificates: no more cacert.org certificates?!?
On Mon, Mar 24, 2014 at 02:58:55PM +0100, Peter Palfrader wrote: On Mon, 24 Mar 2014, Adrien CLERC wrote: Le 24/03/2014 14:23, Raphael Geissert a écrit : Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped support for the latter due to the lack of use[1]. [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed standard in August 2012[1]. And DNS servers haven't support for them since recently (I'd say 6 months to 1 year). DNS servers have supported them for years; RFC3597 is over a decade old by now. RFC3597 does not specify TLSA records, it only specifies how DNS servers should handle RRs with unknown (to them) RDATA format. It is essential to allow new features to be propagated over the DNS network, but it does not necessarily implement TLSA at the signing zone -- and that, apart from widespread user agent support, is a pretty critical prerequisite for actually starting to use DANE. -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not go to space today. -- http://xkcd.com/1133/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140324232856.ga12...@grep.be
Re: ca-certificates: no more cacert.org certificates?!?
Dmitry Smirnov only...@debian.org wrote: I've just noticed that cacert.org certificates was removed from ca-certificates a month ago. From changelog [1]: * No longer ship cacert.org certificates. Closes: #718434, LP: #1258286 [...] FWIW there is an article about it on http://lwn.net/Articles/590879/ cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/73d20b-b63@argenau.downhill.at.eu.org
Re: ca-certificates: no more cacert.org certificates?!?
On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote: FWIW there is an article about it on http://lwn.net/Articles/590879/ Thanks but LWN subscription is needed to read... (Alternatively, this item will become freely available on March 27, 2014). -- Regards, Dmitry Smirnov GPG key : 4096R/53968D1B --- Odious ideas are not entitled to hide from criticism behind the human shield of their believers' feelings. -- Richard Stallman signature.asc Description: This is a digitally signed message part.
Re: ca-certificates: no more cacert.org certificates?!?
On Sun, Mar 23, 2014 at 3:11 PM, Dmitry Smirnov wrote: On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote: FWIW there is an article about it on http://lwn.net/Articles/590879/ Thanks but LWN subscription is needed to read... (Alternatively, this item will become freely available on March 27, 2014). As a member of Debian you have a gratis LWN subscription available: https://www.debian.org/doc/manuals/developers-reference/resources.html#lwn -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6GE3NZJU9aNXH7z71o3=whp32m2xbg_u+kys-vkf2d...@mail.gmail.com
Re: ca-certificates: no more cacert.org certificates?!?
]] Dmitry Smirnov On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote: FWIW there is an article about it on http://lwn.net/Articles/590879/ Thanks but LWN subscription is needed to read... Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/ -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87k3blxscz@xoog.err.no
Re: ca-certificates: no more cacert.org certificates?!?
On Sun, 23 Mar 2014 08:54:20 Tollef Fog Heen wrote: Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/ Interesting article (thank you for link). I just want to note that Startcom is no match to cacert.org in regards to free SSL certificates. Some years ago I got free certificate from Startcom but a year later Startcom refused to renew it for free. I understand that offering free certificate was their good will but they gave me no impression that I'm getting only trial first-year-for-free offer. It could be that their policy changed but these days I doubt it is possible to get free Startcom certificate unless for a web site which is clearly non-profit. By the way an interesting comment was posted to #718434 lately: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#239 -- Cheers, Dmitry Smirnov GPG key : 4096R/53968D1B --- I am easily satisfied with the very best. -- Winston Churchill signature.asc Description: This is a digitally signed message part.
Re: ca-certificates: no more cacert.org certificates?!?
I suggest that anybody who wants to partecipate to this debate should clarify if their goal is: - choosing appropriate defaults for the general population of our users - taking a stand against the PKI system Anyway, I strongly recommend that nobody waste their time on an issue which in a couple of years will be much less relevant thanks to DANE. If you want to hurt the PKI cartel^Wsystem then you should start working on DANE. -- ciao, Marco signature.asc Description: Digital signature
ca-certificates: no more cacert.org certificates?!?
I've just noticed that cacert.org certificates was removed from ca-certificates a month ago. From changelog [1]: * No longer ship cacert.org certificates. Closes: #718434, LP: #1258286 I'm disappointed by this decision and from #718434 I don't get a clear picture what is wrong with cacert.org. For years we were shipping their certificates and IMHO there should be a damn good reason to stop doing so. I wish maintainer would state the reason for removal in cahngelog. Is situation with cacert.org certificates dramatically worsened lately? Any security flaws were discovered? What we're gaining from dropping their certificates? Did we notify cacert.org about our intentions to drop their certificates? What were their comments? Did they provide time frame to address our concerns? Cacert.org web of trust model is very similar to ours. To me it is essentially more trustworthy than what for-profit CAs offer. Cacert.org (as the only non-profit community managed CA) needs our support. How dropping cacert.org certificates is going to benefit our communities? The following comment highlight some benefits of providing cacert.org certificates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#209 I want cacert.org certificates to raise no warning in browsers. This way we can encourage use of cacert.org certificates as alternative to self-signed certificates and therefore promote the use of HTTPS. Users are supposed to check certificate properties for encrypted connections if/when they want to check certificate authenticity. I think dropping cacert.org did more harm than good. Perhaps it's better to promote packages like xul-ext-certificatepatrol rather than punish cacert? After all I'm sure cacert.org team is doing their best just like we all do in Debian. [1]: http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog -- Cheers, Dmitry Smirnov GPG key : 4096R/53968D1B --- The most fatal blow to progress is slavery of the intellect. The most sacred right of humanity is the right to think, and next to the right to think is the right to express that thought without fear. -- Helen H. Gardner, Men, Women and Gods signature.asc Description: This is a digitally signed message part.
