Bug#718795: nss: should CAcert.org be included?
Ansgar Burchardt
ansgar at debian.org
Mon Aug 5 14:52:24 UTC 2013
Source: nss
Severity: important
[ Same request as in #718434, but for NSS and not ca-certificates ]
[ Discussion should best only happen in one bug, i.e. #718434, or ]
[ maybe debian-security at l.d.o. ]
I'm wondering if Debian really should include CAcert.org root certificates:
The CAcert.org root certificates are only included by a small number of
vendors[1]. No major web browser (Mozilla, Chrome, IE, ...) includes
them by default.
[1] <http://wiki.cacert.org/InclusionStatus>
CAcert.org itself has withdrawn its inclusion request into Mozilla's
certificate list[2] until an audit is completed. I'm not sure where the
current status is recorded, but [3] doesn't look too promising.
[2] <https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158>
[3] <http://wiki.cacert.org/AuditToDo>
I'm also not sure how well they follow current recommendations. For
example, Mozilla's CA requirements[4] include that "all new end-entity
certificates must contain at least 20 bits of unpredictable random data
(preferably in the serial number)" which I believe was introduces as a
consequence of some attacks on CAs that relied on predictable serial
numbers. CAcert.org doesn't seem to implement this, at least not in the
serial number (not sure what other places to check).
[4]
<http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html>
And last but not least: while CAcert.org publishes the source code of
their system[5] (good), looking at it does not make me trust it (it
causes the opposite effect)...
[5] <http://www.cacert.org/src-lic.php>
Ansgar
More information about the pkg-mozilla-maintainers
mailing list