Anatoly, don't you know that cross-posting is a bad idea?[1] If you disagree with the management of bugs.python.org, tracker-discuss is the right place to post.
anatoly techtonik writes: > The b.p.o uses CAcert certificate that was never valid on Windows Of course it was valid, it was simply not trusted by default. Given Microsoft's historical aversion to "free" anything, that's a completely null signal. > and now removed from Ubuntu and Debian, and yet, some people push > the idea that it is OK to continue using such certificate for > b.p.o. As pointed out (and never denied) in the thread[2] explaining why Debian removed CAcert, Debian's "include only 'trustworthy' root certificates" policy is broken, both in theory and in practice. With regard to CAcert, there are no known exploits -- which is not true of several of the other authorities in Debian's bundle (which is mostly taken from Mozilla). Perhaps it's worth moving to a different free root authority, or maybe even (gasp!) paying for a well-known commercial certificate, but you need to find one that satisfies the technical requirement posted by Martin -- namely, that certs for a particular host should *not* allow escalation of privilege to all hosts in the python.org domain. (Note that if we use a commercial service this probably becomes rather expensive.) There may be other requirements I don't know about. Personally, since I think that the X.509 architecture is broken at the top in practice (why is Verisign trustworthy? how about the Chinese National Network Information Center? or the Japanese Ministry of Education (my employer)? yet most systems -- including Windows -- default to trusting any certificate issued by any of them), having a root cert that seems trustworthy to me, yet isn't trusted by default, allowing me to *choose* to assign an appropriate amount of trust to bugs.python.org, seems to be the most secure option. I don't know if it's any better than a self-signed cert, of course. > I disapprove the decision of these people What else is new? > and hope that somebody from python community can change their > convoluted understanding of security. Security *is* convoluted, and your own understanding of it seems to be limited since you misuse technical terms like "valid" (there's a difference between "cannot be validated" and "not valid"). Footnotes: [1] Among other things, it makes it likely that the ban on your participation will be extended. _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss