Bug#731463: Bug#718434: ca-certificates: should CAcert.org be included?
Michael Shuler
michael at pbandjelly.org
Sat Dec 7 00:13:16 UTC 2013
I just wanted to include a reply on this bug that I have been reading
the responses as they have been posted. I appreciate the feedback and
I'm still pretty torn, to be honest.
#1 - Debian does not distribute CAcert's web site code, so while the
question about its quality is technically irrelevant, it is still a
concern for the service. Since that code is open source, someone found
something that can be fixed. Cool. Can the same be said for every CA?
I think not. And I imagine there are multitudes of security issues
that could be found in any CA's web service, if the code was public.
Doesn't that make CAcert *more* transparent? Isn't this the whole point
of OSS?
#2 - All CAs included in ca-certificates are available to have the trust
turned off. If you have a concern about a particular CA and do not
trust them, disable that CA.
#3 - Yes, other linux/bsd distributions have removed CAcert's
certificates. Should Debian? Perhaps. Perhaps not.
I'll keep thinking about it. If the Debian NSS maintainer has a strong
opinion to remove CAcert's roots, then the same will happen in
ca-certificates, in order to maintain the same CA set. I just
personally have no strong opinion either way - I think it's great that
Debian supports such a project, and I think it would be a shame to
remove that support. I think every CA probably has it's warts, but the
CA system is what we have, good or bad.
Kind regards,
Michael
(resent to nss cloned bug)
More information about the pkg-mozilla-maintainers
mailing list