[Systems] CACert in Browse (was: Re: Enabling https://translate.sugarlabs.org)
Bernie Innocenti
bernie at codewiz.org
Thu Jul 2 09:46:37 EDT 2009
On Thu, 2009-07-02 at 12:44 +0200, Sascha Silbe wrote:
> On Thu, Jul 02, 2009 at 11:51:03AM +0200, Bernie Innocenti wrote:
>
> >> Sure, they're having (organisational) trouble again, but to be honest
> >> I nevertheless trust them way more than any commercial CA.
> > I used to trust them more, but many others are pulling the CACert
> > certificate from their bundles because it finally got audited for
> > security and *failed* to demonstrate sufficiently secure procedures
> > for
> > master key handling.
> No, it didn't get audited. The audit got aborted due to lack of reaction
> from the board during the audit (at least that's my interpretation of
> what's been posted on the mailing list the last few days).
>
> > Frankly, I'm very disappointed in CACert: this auditing saga has been
> > going on for *ages* without good communication on their side. What's
> > missing now? What's the ETA for it?
> What is still missing is people who _actively_ care for it. People to
> step up for the board.
> See the mailing list for all the gory details.
>
> > By giving everybody the expectation they will become *the* free
> > accredited CA soon, they're preventing others from doing the same for
> > real.
> Personally I don't think having more than one community CA is a bad
> thing, so what's holding back others from doing it instead of stalling
> on CACert?
>
> > I don't know what to think: SSL mafia conspiracy or CACert
> > incompetence?
> I'd say severe lack of manpower, right from the beginning (when Duane
> was still chief).
>
> >> BTW: Does Browse fall back to the system supplied CAs
> >> (/etc/ssl/certs)? Debian already includes CACert and IIRC some others
> >> as well.
> > I'm pretty sure Firefox only uses its own separate bundle in Debian,
> > because its strict branding policy certainly demands not altering the
> > list of trusted CAs who have been going trough an expensive
> > corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla
> > Foundation.
> Well, the branding policy is exactly the reason it's called Iceweasel in
> Debian instead of Firefox. Not sure it uses the system CA certificates,
> though - for one thing I've added CACert to Mozilla ages ago and for the
> other I'm using it very rarely anyway.
Speaking of trust, my MUA says that your last message
had a bad GPG signature:
gpg: armor header: Version: GnuPG v1.4.9 (GNU/Linux)
gpg: Signature made Thu Jul 2 12:44:37 2009 CEST using RSA key ID 4C1770DA
gpg: using subkey 4C1770DA instead of primary key A13AC1B1
gpg: using PGP trust model
gpg: BAD signature from "Sascha Silbe <sascha-pgp at silbe.org>"
gpg: textmode signature, digest algorithm SHA1
Ok, the game is over. Now tell us who you are and what you
did of the real Sascha!
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Systems
mailing list