[Systems] CACert in Browse (was: Re: Enabling https://translate.sugarlabs.org)

Bernie Innocenti bernie at codewiz.org
Thu Jul 2 09:46:37 EDT 2009


On Thu, 2009-07-02 at 12:44 +0200, Sascha Silbe wrote:
> On Thu, Jul 02, 2009 at 11:51:03AM +0200, Bernie Innocenti wrote:
> 
> >> Sure, they're having (organisational) trouble again, but to be honest 
> >> I nevertheless trust them way more than any commercial CA.
> > I used to trust them more, but many others are pulling the CACert
> > certificate from their bundles because it finally got audited for
> > security and *failed* to demonstrate sufficiently secure procedures 
> > for
> > master key handling.
> No, it didn't get audited. The audit got aborted due to lack of reaction 
> from the board during the audit (at least that's my interpretation of 
> what's been posted on the mailing list the last few days).
> 
> > Frankly, I'm very disappointed in CACert: this auditing saga has been
> > going on for *ages* without good communication on their side.  What's
> > missing now?  What's the ETA for it?
> What is still missing is people who _actively_ care for it. People to 
> step up for the board.
> See the mailing list for all the gory details.
> 
> > By giving everybody the expectation they will become *the* free
> > accredited CA soon, they're preventing others from doing the same for
> > real.
> Personally I don't think having more than one community CA is a bad 
> thing, so what's holding back others from doing it instead of stalling 
> on CACert?
> 
> > I don't know what to think: SSL mafia conspiracy or CACert 
> > incompetence?
> I'd say severe lack of manpower, right from the beginning (when Duane 
> was still chief).
> 
> >> BTW: Does Browse fall back to the system supplied CAs 
> >> (/etc/ssl/certs)? Debian already includes CACert and IIRC some others 
> >> as well.
> > I'm pretty sure Firefox only uses its own separate bundle in Debian,
> > because its strict branding policy certainly demands not altering the
> > list of trusted CAs who have been going trough an expensive
> > corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla 
> > Foundation.
> Well, the branding policy is exactly the reason it's called Iceweasel in 
> Debian instead of Firefox. Not sure it uses the system CA certificates, 
> though - for one thing I've added CACert to Mozilla ages ago and for the 
> other I'm using it very rarely anyway.

Speaking of trust, my MUA says that your last message
had a bad GPG signature:

gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: Signature made Thu Jul  2 12:44:37 2009 CEST using RSA key ID 4C1770DA
gpg: using subkey 4C1770DA instead of primary key A13AC1B1
gpg: using PGP trust model
gpg: BAD signature from "Sascha Silbe <sascha-pgp at silbe.org>"
gpg: textmode signature, digest algorithm SHA1

Ok, the game is over.  Now tell us who you are and what you
did of the real Sascha!

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/




More information about the Systems mailing list