[Systems] CACert in Browse (was: Re: Enabling https://translate.sugarlabs.org)
Sascha Silbe
sascha-ml-ui-sugar-systems at silbe.org
Thu Jul 2 06:44:40 EDT 2009
On Thu, Jul 02, 2009 at 11:51:03AM +0200, Bernie Innocenti wrote:
>> Sure, they're having (organisational) trouble again, but to be honest
>> I nevertheless trust them way more than any commercial CA.
> I used to trust them more, but many others are pulling the CACert
> certificate from their bundles because it finally got audited for
> security and *failed* to demonstrate sufficiently secure procedures
> for
> master key handling.
No, it didn't get audited. The audit got aborted due to lack of reaction
from the board during the audit (at least that's my interpretation of
what's been posted on the mailing list the last few days).
> Frankly, I'm very disappointed in CACert: this auditing saga has been
> going on for *ages* without good communication on their side. What's
> missing now? What's the ETA for it?
What is still missing is people who _actively_ care for it. People to
step up for the board.
See the mailing list for all the gory details.
> By giving everybody the expectation they will become *the* free
> accredited CA soon, they're preventing others from doing the same for
> real.
Personally I don't think having more than one community CA is a bad
thing, so what's holding back others from doing it instead of stalling
on CACert?
> I don't know what to think: SSL mafia conspiracy or CACert
> incompetence?
I'd say severe lack of manpower, right from the beginning (when Duane
was still chief).
>> BTW: Does Browse fall back to the system supplied CAs
>> (/etc/ssl/certs)? Debian already includes CACert and IIRC some others
>> as well.
> I'm pretty sure Firefox only uses its own separate bundle in Debian,
> because its strict branding policy certainly demands not altering the
> list of trusted CAs who have been going trough an expensive
> corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla
> Foundation.
Well, the branding policy is exactly the reason it's called Iceweasel in
Debian instead of Firefox. Not sure it uses the system CA certificates,
though - for one thing I've added CACert to Mozilla ages ago and for the
other I'm using it very rarely anyway.
CU Sascha
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
Url : http://lists.sugarlabs.org/private/systems/attachments/20090702/0ae0832d/attachment.pgp
More information about the Systems
mailing list