[Systems] CACert in Browse (was: Re: Enabling https://translate.sugarlabs.org)

Sascha Silbe sascha-ml-ui-sugar-systems at silbe.org
Thu Jul 2 06:44:40 EDT 2009


On Thu, Jul 02, 2009 at 11:51:03AM +0200, Bernie Innocenti wrote:

>> Sure, they're having (organisational) trouble again, but to be honest 
>> I nevertheless trust them way more than any commercial CA.
> I used to trust them more, but many others are pulling the CACert
> certificate from their bundles because it finally got audited for
> security and *failed* to demonstrate sufficiently secure procedures 
> for
> master key handling.
No, it didn't get audited. The audit got aborted due to lack of reaction 
from the board during the audit (at least that's my interpretation of 
what's been posted on the mailing list the last few days).

> Frankly, I'm very disappointed in CACert: this auditing saga has been
> going on for *ages* without good communication on their side.  What's
> missing now?  What's the ETA for it?
What is still missing is people who _actively_ care for it. People to 
step up for the board.
See the mailing list for all the gory details.

> By giving everybody the expectation they will become *the* free
> accredited CA soon, they're preventing others from doing the same for
> real.
Personally I don't think having more than one community CA is a bad 
thing, so what's holding back others from doing it instead of stalling 
on CACert?

> I don't know what to think: SSL mafia conspiracy or CACert 
> incompetence?
I'd say severe lack of manpower, right from the beginning (when Duane 
was still chief).

>> BTW: Does Browse fall back to the system supplied CAs 
>> (/etc/ssl/certs)? Debian already includes CACert and IIRC some others 
>> as well.
> I'm pretty sure Firefox only uses its own separate bundle in Debian,
> because its strict branding policy certainly demands not altering the
> list of trusted CAs who have been going trough an expensive
> corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla 
> Foundation.
Well, the branding policy is exactly the reason it's called Iceweasel in 
Debian instead of Firefox. Not sure it uses the system CA certificates, 
though - for one thing I've added CACert to Mozilla ages ago and for the 
other I'm using it very rarely anyway.

CU Sascha

-- 
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://lists.sugarlabs.org/private/systems/attachments/20090702/0ae0832d/attachment.pgp 


More information about the Systems mailing list