[Systems] Enabling https://translate.sugarlabs.org

Bernie Innocenti bernie at codewiz.org
Thu Jul 2 05:51:03 EDT 2009

[cc += sugar-devel@]

On Thu, 2009-07-02 at 10:25 +0200, Sascha Silbe wrote:
> On Thu, Jul 02, 2009 at 06:31:13AM +0200, Bernie Innocenti wrote:
> > And even then, rather than paying the pizzo (*) to the SSL mafia, we
> > coul create our own Sugar Labs CA and install our certificate in the
> > bundle used by Browse.  IIRC, OLPC was also doing this.
> What about including the CACert one instead?
> Sure, they're having (organisational) trouble again, but to be honest I 
> nevertheless trust them way more than any commercial CA.

I used to trust them more, but many others are pulling the CACert
certificate from their bundles because it finally got audited for
security and *failed* to demonstrate sufficiently secure procedures for
master key handling.

Frankly, I'm very disappointed in CACert: this auditing saga has been
going on for *ages* without good communication on their side.  What's
missing now?  What's the ETA for it?

By giving everybody the expectation they will become *the* free
accredited CA soon, they're preventing others from doing the same for

I'm sure they'd promptly help CACert if they needed money, hardware,
voluteers, software development.. *anything!*

I don't know what to think: SSL mafia conspiracy or CACert incompetence?

> BTW: Does Browse fall back to the system supplied CAs (/etc/ssl/certs)? 
> Debian already includes CACert and IIRC some others as well.

I'm pretty sure Firefox only uses its own separate bundle in Debian,
because its strict branding policy certainly demands not altering the
list of trusted CAs who have been going trough an expensive
corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla Foundation.

One can still choose any CA they like in the bundles used by Iceweasel
or Browse.

   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/

More information about the Systems mailing list