Re: ca-certificates: no more cacert.org certificates?!?

2014-04-03 Thread Kevin Chadwick
previously on this list Bas Wijnen contributed:

> On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote:
> > >  I think at Debian we all agree that it would be a good
> > > thing if everything would be encrypted, so this is a very bad outcome.
> > 
> > I beg to differ I'm afraid. SSL should be used where it is required
> > otherwise you are opening the server upto DOS and as it is more
> > complex, bugs and exploits not to mention greater memory and cpu usage
> > in similar fashion to systemd.
> 
> That's a valid point.  I think all connections should be encrypted,
> unless the server admin knowingly disables the encryption.  Does that
> sound better?
> 
> What I would like to see, is that if someone new to making websites
> tries something, they will be using encrypted connections.  And if they
> start asking people to fill out personal data, they don't need to do
> anything extra to make sure it works right.
> 

Sorry but I still have to disagree as this shouldn't really but
certainly does still increase the chances of someone submitting data to
a site that doesn't care about the security of that data or have the
ability to look after it.

OTOH it would prevent wordpress logins being stolen so easily and ISPs
snooping, however I believe in solving specific problems not swapping
problems around, what do you know again like systemd due to it's multi
functional design or rather lack of it;-)

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/991243.53700...@smtp120.mail.ir2.yahoo.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-02 Thread Michael Shuler

On 04/02/2014 04:43 AM, Bas van den Dikkenberg wrote:

The only things states in RDL that user has to be informed about the copyright


I find this, perhaps, the most interesting and on-topic comment in this 
thread.


--
Kind regards,
Michael


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/533c81d5.3060...@pbandjelly.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-02 Thread Paul Wise
On Wed, Apr 2, 2014 at 6:09 PM, Matthias Urlichs wrote:

> Somebody could passively log the connection for later analysis.
> Your argument does not hold for this case.

I don't have an argument, I'm saying that Snowden revealed that global
active adversaries like the NSA and GCHQ have been doing this for a
while. Logging ciphertext via passive MITM and breaking endpoint
security to defeat encryption globally.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6g1_mqbuqxs+wdvgljzyeaxbdc1stnj6hzt2b6aj_7...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-02 Thread Matthias Urlichs
Hi,

Paul Wise:
> Encrypted and unencrypted connections are equivalent because anyone
> who is on your network path (or can manipulate DNS or BGP) can MITM
> the connection.

Somebody could passively log the connection for later analysis.
Your argument does not hold for this case.

-- 
-- Matthias Urlichs


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-04-02 Thread Chow Loong Jin
On Wed, Apr 02, 2014 at 09:43:34AM +, Bas van den Dikkenberg wrote:
> Where do get the idea cacert uses popup's ?
> 
> The only things states in RDL that user has to  be informed about the 
> copyright

Read the previous post, and please avoid top-posting. This post is turning out
weirdly because of that.

I've added some more context to the quote below to make it more obvious what his
response was to.


> -Oorspronkelijk bericht-
> Van: paul.is.w...@gmail.com [mailto:paul.is.w...@gmail.com] Namens Paul Wise
> Verzonden: woensdag 2 april 2014 08:47
> Aan: debian-devel@lists.debian.org
> Onderwerp: Re: ca-certificates: no more cacert.org certificates?!?
> 
> On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:

> > > I've also asked Mozilla to give plain HTTP connections at least as much
> > > warnings as self-signed certificates (which would probably mean no
> > > warnings for either of them), but I don't think they'll listen.
> >
> > I think they are constrained by the browser market; if they add 
> > annoying popups and other browser vendors don't then they will 
> > probably lose market share. This is the fundamental problem with web 
> > security; the wider user population wants things to 'work', anything 
> > that gets in the way tends
> 
> ... not to get implemented.
> 

-- 
Kind regards,
Loong Jin


signature.asc
Description: Digital signature


RE: ca-certificates: no more cacert.org certificates?!?

2014-04-02 Thread Bas van den Dikkenberg
Where do get the idea cacert uses popup's ?

The only things states in RDL that user has to  be informed about the copyright 



-Oorspronkelijk bericht-
Van: paul.is.w...@gmail.com [mailto:paul.is.w...@gmail.com] Namens Paul Wise
Verzonden: woensdag 2 april 2014 08:47
Aan: debian-devel@lists.debian.org
Onderwerp: Re: ca-certificates: no more cacert.org certificates?!?

On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:

> I think they are constrained by the browser market; if they add 
> annoying popups and other browser vendors don't then they will 
> probably lose market share. This is the fundamental problem with web 
> security; the wider user population wants things to 'work', anything 
> that gets in the way tends

... not to get implemented.

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6fmpxy-ymumkb0juu2wwobo3wurotj3ud7tytxvu-m...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Paul Wise
On Wed, Apr 2, 2014 at 1:26 PM, Paul Wise wrote:

> I think they are constrained by the browser market; if they add
> annoying popups and other browser vendors don't then they will
> probably lose market share. This is the fundamental problem with web
> security; the wider user population wants things to 'work', anything
> that gets in the way tends

... not to get implemented.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6fmpxy-ymumkb0juu2wwobo3wurotj3ud7tytxvu-m...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Paul Wise
On Wed, Apr 2, 2014 at 4:22 AM, Bas Wijnen wrote:

> It's not at all equivalent.  When using (good) encryption, the only
> thing left to worry about is man in the middle attacks.  Even when
> someone is actively performing a man in the middle attack on you, your
> data is _still_ more secure than a plain text connection, because while
> the person doing the attack can read your data, the rest of the world
> still can't.  Of course the person doing the attack is probably more of
> a problem than the rest of the world, but he could read your data if it
> was unencrypted as well.
>
> An unencrypted connection is readable to everyone; an encrypted
> connection is readable to those in a position to alter your packets.
> And when they use it, it is detectable (which doesn't imply it is
> detected, but it probably would be if an organization like the NSA would
> start doing it on a really large scale).

Encrypted and unencrypted connections are equivalent because anyone
who is on your network path (or can manipulate DNS or BGP) can MITM
the connection. The MITM could be active or passive in either case,
encryption pushes more attacks to the active side but either is still
feasible. The NSA just does things like log all ciphertext for years
and then break endpoint security. Forward secrecy hasn't been in focus
until the recent NSA revelations really.

> There are three problems to solve: first, you need to know that you're
> talking to the right person.  Second, you need to make sure only that
> person can read your packets, and third, you need to know that that
> person is not evil.  CAs try (but fail) to solve the first point only.
> They are however treated by many people as if they solve all three.

Fourth, you need to know that the person will never subject to an
authority that could be evil at any point in time.

> Hmm, I would hope for a ca-certificates-cacert package then.  If I have
> to, I want to explain people that they need to install this; I don't
> want to explain them how to enable certificates.  Encryption is one of
> those things which should work by default, and any extra required step
> to make it possible is a bad thing.

I mentioned this point on IRC during the discussion.

> I've also asked Mozilla to give plain HTTP connections at least as much
> warnings as self-signed certificates (which would probably mean no
> warnings for either of them), but I don't think they'll listen.

I think they are constrained by the browser market; if they add
annoying popups and other browser vendors don't then they will
probably lose market share. This is the fundamental problem with web
security; the wider user population wants things to 'work', anything
that gets in the way tends

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6FDijKX_ytQhj9d_=tqT=y_jlaq2cjtb_xoste7wfw...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Bas Wijnen
On Tue, Apr 01, 2014 at 10:49:15PM +0100, Kevin Chadwick wrote:
> >  I think at Debian we all agree that it would be a good
> > thing if everything would be encrypted, so this is a very bad outcome.
> 
> I beg to differ I'm afraid. SSL should be used where it is required
> otherwise you are opening the server upto DOS and as it is more
> complex, bugs and exploits not to mention greater memory and cpu usage
> in similar fashion to systemd.

That's a valid point.  I think all connections should be encrypted,
unless the server admin knowingly disables the encryption.  Does that
sound better?

What I would like to see, is that if someone new to making websites
tries something, they will be using encrypted connections.  And if they
start asking people to fill out personal data, they don't need to do
anything extra to make sure it works right.

> > I've also asked Mozilla to give plain HTTP connections at least as much
> > warnings as self-signed certificates (which would probably mean no
> > warnings for either of them), but I don't think they'll listen.
> 
> What have you asked them exactly.

https://bugzilla.mozilla.org/show_bug.cgi?id=566008#c12

> I believe glaring warnings should be removed from self-signed and
> green bars removed completely for EV certs but you should be asked to
> check the fingerprint for self-signed and the browser should cache the
> cert and warn of changes in all cases though that would scare the
> uninitiated at first???

I think from a usability perspective, "normal" browsing, including
self-signed certificates, should just work without any messages.  But I
gladly leave the details to the browser developers.  There is one thing
I would like them to do, and that is scare users more towards encrypted
connections than away from them.  I don't think any scaring is required,
but if they are going to scare people for self-signed certificates, they
should scare them even more for unencrypted connections.

Thanks,
Bas


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Kevin Chadwick
previously on this list Bas Wijnen contributed:

> From: Bas Wijnen 
> To: debian-devel@lists.debian.org
> Subject: Re: ca-certificates: no more cacert.org certificates?!?
> Date: Tue, 1 Apr 2014 22:22:12 +0200
> User-Agent: Mutt/1.5.21 (2010-09-15)
> 
> On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
> > I think the real problem here is the user interface asking one to trust
> > a site (forever, unless you're concentrating) at a point where you
> > really don't care because all you're interested in is seeing the cute
> > picture of an otter on someone's blog.  
> 
> Yes.  And the fact that making your blog use an encrypted connection
> causes either scary warnings for all your visitors, or a lot of hassle
> trying to find a CA who is slightly less extorting than the others,
> leads to the result that most people give it up and don't use encryption
> on their blog.

I agree

>  I think at Debian we all agree that it would be a good
> thing if everything would be encrypted, so this is a very bad outcome.
> 

I beg to differ I'm afraid. SSL should be used where it is required
otherwise you are opening the server upto DOS and as it is more
complex, bugs and exploits not to mention greater memory and cpu usage
in similar fashion to systemd.

> 
> I've also asked Mozilla to give plain HTTP connections at least as much
> warnings as self-signed certificates (which would probably mean no
> warnings for either of them), but I don't think they'll listen.

What have you asked them exactly. I believe glaring warnings should be
removed from self-signed and green bars removed completely for EV certs
but you should be asked to check the fingerprint for self-signed and the
browser should cache the cert and warn of changes in all cases
though that would scare the uninitiated at first???


-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/616880.64104...@smtp144.mail.ir2.yahoo.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Marc Haber
On Tue, 01 Apr 2014 11:04:43 +0100, Philip Hands 
wrote:
>Marc Haber  writes:
>> On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
>> wrote:
>>>Of course, I'm one of those people who believes that web site certificate
>>>signatures as currently implemented, with the level of vetting that's
>>>actually done by commercial CAs in practice, are more of an extortion
>>>racket than a security measure.
>>
>> I have to agree on that. But a Startcom Certificate on a personal web
>> site is one web site more that doesn't train users to blindly click
>> away certificate warnings. A cacert certificate or a self-signed
>> certificate on a personal web site is one web site more that does that
>> kind of training.
>
>Do you really think that the content on a Startcom certificated site is
>more likely to be trustworthy than an CAcert certificated site?

No.

I have nothing to add to Paul's explanation.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wv5s4-0004ic...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Bas Wijnen
On Tue, Apr 01, 2014 at 11:04:43AM +0100, Philip Hands wrote:
> I think the real problem here is the user interface asking one to trust
> a site (forever, unless you're concentrating) at a point where you
> really don't care because all you're interested in is seeing the cute
> picture of an otter on someone's blog.

Yes.  And the fact that making your blog use an encrypted connection
causes either scary warnings for all your visitors, or a lot of hassle
trying to find a CA who is slightly less extorting than the others,
leads to the result that most people give it up and don't use encryption
on their blog.  I think at Debian we all agree that it would be a good
thing if everything would be encrypted, so this is a very bad outcome.

> If browsers treated all new certificates with suspicion, limiting the
> things that could be done in javascript, and not allowing forms to be
> filled in, say, and then when you decided that you wanted to offer the
> site some trust (because you want to fill in your credit card on the
> https://amazon-really-it-is.mafia.biz/ site) the browser could then
> guide you toward some checks that you might want to perform before
> continuing, and because you've got a credit card n your hand you might
> be vaguely interested at that point.

But what does that accomplish?  Having a signature from one of the many
CAs on the key doesn't really prove anything.  It certainly doesn't mean
they're going to be careful with your money.

On Tue, Apr 01, 2014 at 06:30:11PM +0800, Paul Wise wrote:
> On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote:
> 
> > I think the real problem here is the user interface asking one to trust
> > a site (forever, unless you're concentrating) at a point where you
> > really don't care because all you're interested in is seeing the cute
> > picture of an otter on someone's blog.
> 
> Indeed, the browser vendors basically fell for the NSA's social
> engineering and put up scary warnings for a situation that is
> approximately equivalent to plain unencrypted HTTP, which they treat
> as all fine and good.

It's not at all equivalent.  When using (good) encryption, the only
thing left to worry about is man in the middle attacks.  Even when
someone is actively performing a man in the middle attack on you, your
data is _still_ more secure than a plain text connection, because while
the person doing the attack can read your data, the rest of the world
still can't.  Of course the person doing the attack is probably more of
a problem than the rest of the world, but he could read your data if it
was unencrypted as well.

An unencrypted connection is readable to everyone; an encrypted
connection is readable to those in a position to alter your packets.
And when they use it, it is detectable (which doesn't imply it is
detected, but it probably would be if an organization like the NSA would
start doing it on a really large scale).

There are three problems to solve: first, you need to know that you're
talking to the right person.  Second, you need to make sure only that
person can read your packets, and third, you need to know that that
person is not evil.  CAs try (but fail) to solve the first point only.
They are however treated by many people as if they solve all three.

The second point is already solved and it works just fine.  The only
problem is that browsers scare away all visitors when you use a
self-signed certificate, or one from a CA that isn't recognized.

> > Anyway, can we not just have a cacert-certificates package, and then
> > people like me, who use cacert, could decide to trust them easily on my
> > machines at least?  If we instead do things that make it harder for even
> > Free Software enthusiasts to use something like CAcert, then the slim
> > chance that CAcert might eventually become properly useful gets even
> > slimmer.
> 
> From the discussion on #debian-security it sounds like what will
> happen is either a ca-certificates-cacert package or adding cacert.org
> to ca-certificates but disabled by default.

Hmm, I would hope for a ca-certificates-cacert package then.  If I have
to, I want to explain people that they need to install this; I don't
want to explain them how to enable certificates.  Encryption is one of
those things which should work by default, and any extra required step
to make it possible is a bad thing.

I've also asked Mozilla to give plain HTTP connections at least as much
warnings as self-signed certificates (which would probably mean no
warnings for either of them), but I don't think they'll listen.

Thanks,
Bas


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Kevin Chadwick
previously on this list people contributed:

> I still don't see why we penalize Debian users for the fact that _other_
> operating systems don't include the cacert certificate

Seems illogical to me we need more free CAs not less and I do agree
about the extortionism especially on EV.

If a web designer only tests if one browser works on one OS without a
chaining issue then does he really care and is he a fool that needs
teaching anyhow.

>> I have to agree on that. But a Startcom Certificate on a personal web
>> site is one web site more that doesn't train users to blindly click
>> away certificate warnings. A cacert certificate or a self-signed
>> certificate on a personal web site is one web site more that does that
>> kind of training.

Or to check if they are on the right domain?

Xombrero caching of cert changes and warnings is useful in the terrible
climate for those who know what to check.


-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

I have no idea why RTFM is used so aggressively on LINUX mailing lists
because whilst 'apropos' is traditionally the most powerful command on
Unix-like systems it's 'modern' replacement 'apropos' on Linux is a tool
to help psychopaths learn to control their anger.

(Kevin Chadwick)

___


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/169118.38101...@smtp132.mail.ir2.yahoo.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Holger Levsen
Hi,

On Dienstag, 1. April 2014, Marc Haber wrote:
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

so what? SSL is broken by design, "trusting" anything based on an SSL 
certificate is foolish at best. any CA (of which there are hundreds enabled in 
browsers and system libraries by default) can sign any certificate and most 
(all?) tools won't complain/detect this.

so in a way, training not to trust these certs is the best one can do :)


cheers,
Holger, who wishes banks would push gpg & monkeysphere for https




signature.asc
Description: This is a digitally signed message part.


Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Paul Wise
On Tue, Apr 1, 2014 at 6:04 PM, Philip Hands wrote:

> I think the real problem here is the user interface asking one to trust
> a site (forever, unless you're concentrating) at a point where you
> really don't care because all you're interested in is seeing the cute
> picture of an otter on someone's blog.

Indeed, the browser vendors basically fell for the NSA's social
engineering and put up scary warnings for a situation that is
approximately equivalent to plain unencrypted HTTP, which they treat
as all fine and good.

> If browsers treated all new certificates with suspicion, limiting the
> things that could be done in javascript, and not allowing forms to be
> filled in, say, and then when you decided that you wanted to offer the
> site some trust (because you want to fill in your credit card on the
> https://amazon-really-it-is.mafia.biz/ site) the browser could then
> guide you toward some checks that you might want to perform before
> continuing, and because you've got a credit card n your hand you might
> be vaguely interested at that point.

They don't even do that stuff for plain unencrypted HTTP so it is
unlikely they would for self-signed or unknown-ca HTTPS connections.

> Anyway, can we not just have a cacert-certificates package, and then
> people like me, who use cacert, could decide to trust them easily on my
> machines at least?  If we instead do things that make it harder for even
> Free Software enthusiasts to use something like CAcert, then the slim
> chance that CAcert might eventually become properly useful gets even
> slimmer.

>From the discussion on #debian-security it sounds like what will
happen is either a ca-certificates-cacert package or adding cacert.org
to ca-certificates but disabled by default.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/caktje6et5cbxheabmfmw4fcv+mfkpto21oo6upm9yyk+br0...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Philip Hands
Marc Haber  writes:

> On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
> wrote:
>>Of course, I'm one of those people who believes that web site certificate
>>signatures as currently implemented, with the level of vetting that's
>>actually done by commercial CAs in practice, are more of an extortion
>>racket than a security measure.
>
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

Do you really think that the content on a Startcom certificated site is
more likely to be trustworthy than an CAcert certificated site?

I think the real problem here is the user interface asking one to trust
a site (forever, unless you're concentrating) at a point where you
really don't care because all you're interested in is seeing the cute
picture of an otter on someone's blog.

If browsers treated all new certificates with suspicion, limiting the
things that could be done in javascript, and not allowing forms to be
filled in, say, and then when you decided that you wanted to offer the
site some trust (because you want to fill in your credit card on the
https://amazon-really-it-is.mafia.biz/ site) the browser could then
guide you toward some checks that you might want to perform before
continuing, and because you've got a credit card n your hand you might
be vaguely interested at that point.

Anyway, can we not just have a cacert-certificates package, and then
people like me, who use cacert, could decide to trust them easily on my
machines at least?  If we instead do things that make it harder for even
Free Software enthusiasts to use something like CAcert, then the slim
chance that CAcert might eventually become properly useful gets even
slimmer.

Cheers, Phil.
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]http://www.hands.com/
|-|  HANDS.COM Ltd.http://ftp.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND


pgpAystKr6qOU.pgp
Description: PGP signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-04-01 Thread Marc Haber
On Mon, 31 Mar 2014 16:03:30 -0700, Russ Allbery 
wrote:
>Of course, I'm one of those people who believes that web site certificate
>signatures as currently implemented, with the level of vetting that's
>actually done by commercial CAs in practice, are more of an extortion
>racket than a security measure.

I have to agree on that. But a Startcom Certificate on a personal web
site is one web site more that doesn't train users to blindly click
away certificate warnings. A cacert certificate or a self-signed
certificate on a personal web site is one web site more that does that
kind of training.

Grüße
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wuszb-0007bm...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-31 Thread Guido Günther
Hi,
On Mon, Mar 31, 2014 at 04:03:30PM -0700, Russ Allbery wrote:
> Brian May  writes:
> > On 1 April 2014 04:42, Marc Haber  wrote:
> 
> >> cacert.org is unuseable if you offer your web site to muggles. It's
> >> not in the browsers.
> 
> > Not sure what you mean. cacert.org is unusable at the moment because it
> > isn't included in the browsers. Which is the problem we were discussing
> > in this thread.
> 
> But nothing Debian does one way or the other is going to get cacert.org's
> root certificates into the general end-user browsers.  So that's a reality
> that we're going to have to continue to live with.
> 
> Given that reality, it's not clear to me that cacert.org certificates
> really have much of an advantage for most use cases over self-signed
> certificates.

AFAIK in Debian we currently don't offer a simple way to run your own CA
with a webgui, autoreminder of expiry, etc. Having Cacert in
ca-certificates was a great way to cater for that without any extra
setup hazzle. 

I still don't see why we penalize Debian users for the fact that _other_
operating systems don't include the cacert certificate.

Cheers, 
 -- Guido


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140401052045.ga2...@bogon.m.sigxcpu.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-31 Thread Russ Allbery
Brian May  writes:
> On 1 April 2014 04:42, Marc Haber  wrote:

>> cacert.org is unuseable if you offer your web site to muggles. It's
>> not in the browsers.

> Not sure what you mean. cacert.org is unusable at the moment because it
> isn't included in the browsers. Which is the problem we were discussing
> in this thread.

But nothing Debian does one way or the other is going to get cacert.org's
root certificates into the general end-user browsers.  So that's a reality
that we're going to have to continue to live with.

Given that reality, it's not clear to me that cacert.org certificates
really have much of an advantage for most use cases over self-signed
certificates.

Of course, I'm one of those people who believes that web site certificate
signatures as currently implemented, with the level of vetting that's
actually done by commercial CAs in practice, are more of an extortion
racket than a security measure.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87ha6edl8d@windlord.stanford.edu



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-31 Thread Brian May
On 1 April 2014 04:42, Marc Haber  wrote:

> cacert.org is unuseable if you offer your web site to muggles. It's
> not in the browsers.


Not sure what you mean. cacert.org is unusable at the moment because it
isn't included in the browsers. Which is the problem we were discussing in
this thread.
-- 
Brian May 


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-31 Thread Marc Haber
On Mon, 31 Mar 2014 09:24:29 +1100, Brian May
 wrote:
>On the other hand, getting back on topic, cacert.org offers you
>certificates free, and for any purpose, which is why it is much better then
>any of the other free alternatives (I only know one free alternative).

cacert.org is unuseable if you offer your web site to muggles. It's
not in the browsers.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wugdq-0001ao...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-30 Thread Marco d'Itri
On Mar 31, Brian May  wrote:

> On the other hand, getting back on topic, cacert.org offers you
> certificates free, and for any purpose, which is why it is much better then
> any of the other free alternatives (I only know one free alternative).
And they are about as useful as self-signed ones, as we know.

-- 
ciao,
Marco


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-30 Thread Brian May
On 30 March 2014 17:26, Marc Haber  wrote:

> I find this somewhat a fair deal. If you make money from your web
> site, you should pay for the certificate.
>
>
Where do you draw the line? Does a commercial company hosting a website,
say for documentation for a commercial product count at a per profit
website?

Also, startcom seems to be offline a lot lately, as I previously mentioned
before. A bit poor if you have to pay for such bad service.

The actual wording, from http://www.startssl.com/policy.pdf is:

"3.1.2.1

"Class 1 Certificates provide modest assurances that
the email originated from a sender with the specified email
address or that the domain address belongs to the respective
server address. These certificates provide no proof of the
identity of the subscriber or of the organization.

"Class 1 certificates are limited to client and server
certificates, whereas the later is restricted in its usage for
non-commercial purpose only. Subscribers MUST upgrade to Class
2 or higher level for any domain and site of commercial nature,
when using high-profile brands and names or if involved in
obtaining or relaying sensitive information such as health
records, financial details, personal information etc."

What does "commercial in nature mean"?

If I run a website as a hobby, and have Google ads on it, does it count as
a website of commercial nature?

Does this mean if I setup a website giving helpful hints for Microsoft
Windows (a high profile brand), I cannot use a class 1 certificate? Not
exactly like I would expect to get any money from it.

They haven't really defined what they mean, and I think that is a big
problem.


On the other hand, getting back on topic, cacert.org offers you
certificates free, and for any purpose, which is why it is much better then
any of the other free alternatives (I only know one free alternative).

I don't understand what is going on behind the scenes, however from my
perspective (which may or may not be correct) it appears that every time
cacert.org is about to get somewhere with getting their CA included with my
browsers, they keep getting more and more road blocks put in their way.
Road blocks that other, more established commercial CA's don't have to
worry about.

As such, any statements that say cacert.org is not needed because we have
startcom, are incorrect.
-- 
Brian May 


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-29 Thread Marc Haber
On Sun, 30 Mar 2014 10:26:28 +1100, Brian May
 wrote:
>On 29 March 2014 18:10, Marc Haber  wrote:
>> My last renew of a startcom certificate was in February 2014. I guess
>> you were victim of misunderstanding, or they indeed check what kind of
>> service a certificate is used for and decide whether to continue to
>> offer the certificate for this particular service for free or not.
>
>If you look up their policies (there is a pdf file somewhere), they say
>that the class 1 certificates (the free certificates) are only to be used
>for non-commercial websites. At quick glance, I couldn't find any
>definition of what "non-commercial" means.

I find this somewhat a fair deal. If you make money from your web
site, you should pay for the certificate.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wu9cm-0003tw...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-29 Thread Brian May
On 29 March 2014 18:10, Marc Haber  wrote:

> My last renew of a startcom certificate was in February 2014. I guess
> you were victim of misunderstanding, or they indeed check what kind of
> service a certificate is used for and decide whether to continue to
> offer the certificate for this particular service for free or not.


If you look up their policies (there is a pdf file somewhere), they say
that the class 1 certificates (the free certificates) are only to be used
for non-commercial websites. At quick glance, I couldn't find any
definition of what "non-commercial" means.

I wanted to quote the actual text, but instead get "Weekend Maintenance":

"Some of our services are offline and under maintenance at weekends until
7:00 AM GMT. We apologize for the temporary inconvenience and thank you for
your understanding."

This basically means they are always offline when I need them the most, at
least for my personal servers :-(
-- 
Brian May 


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-29 Thread Marc Haber
On Wed, 26 Mar 2014 14:32:49 +1100, Dmitry Smirnov
 wrote:
>On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote:
>>  wrote:
>> >I just want to note that Startcom is no match to cacert.org in regards to
>> >free SSL certificates. Some years ago I got free certificate from Startcom
>> >but a year later Startcom refused to renew it for free.
>> 
>> They renew their certificates only in the last (two?) weeks of the
>> lifetime. You cannot renew them ad your convenience, you have to do it
>> at theirs.
>
>It had nothing to do with timing. I got usual email notice "renew your 
>certificate before it expire", submitted renewal request and got "Certificate 
>Declined" response. When I asked why they explained that "Class 1 certificates 
>are not meant to be used for e-commerce" despite that it was not a problem 
>when they issued original certificate one year prior to that. They refused to 
>renew certificate in January 2011 so my guess is that they've changed their 
>policy some time in 2010...

My last renew of a startcom certificate was in February 2014. I guess
you were victim of misunderstanding, or they indeed check what kind of
service a certificate is used for and decide whether to continue to
offer the certificate for this particular service for free or not.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wtnpj-00036g...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-25 Thread Dmitry Smirnov
On Tue, 25 Mar 2014 15:29:12 Marc Haber wrote:
>  wrote:
> >I just want to note that Startcom is no match to cacert.org in regards to
> >free SSL certificates. Some years ago I got free certificate from Startcom
> >but a year later Startcom refused to renew it for free.
> 
> They renew their certificates only in the last (two?) weeks of the
> lifetime. You cannot renew them ad your convenience, you have to do it
> at theirs.

It had nothing to do with timing. I got usual email notice "renew your 
certificate before it expire", submitted renewal request and got "Certificate 
Declined" response. When I asked why they explained that "Class 1 certificates 
are not meant to be used for e-commerce" despite that it was not a problem 
when they issued original certificate one year prior to that. They refused to 
renew certificate in January 2011 so my guess is that they've changed their 
policy some time in 2010...

-- 
All the best,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B


signature.asc
Description: This is a digitally signed message part.


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-25 Thread Cyril Brulebois
Marc Haber  (2014-03-25):
> They renew their certificates only in the last (two?) weeks of the
> lifetime.

Correct, two weeks.

Mraw,
KiBi.


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-25 Thread Marc Haber
On Mon, 24 Mar 2014 12:22:53 +1100, Dmitry Smirnov
 wrote:
>I just want to note that Startcom is no match to cacert.org in regards to free 
>SSL certificates. Some years ago I got free certificate from Startcom but a 
>year later Startcom refused to renew it for free.

They renew their certificates only in the last (two?) weeks of the
lifetime. You cannot renew them ad your convenience, you have to do it
at theirs.

Greetings
Marc
-- 
-- !! No courtesy copies, please !! -
Marc Haber |   " Questions are the | Mailadresse im Header
Mannheim, Germany  | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1wsslo-0008mk...@swivel.zugschlus.de



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-25 Thread Raphael Geissert
Edward Allcutt wrote:
>>> Le 24/03/2014 14:23, Raphael Geissert a écrit :
 If only people actually used DNSSEC and DANE - Chromium/Google Chrome
 dropped support for the latter due to the lack of use[1].

 [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> 
> I believe you are mistaken. That blog post is about Google's own design
> for "DNSSEC stapled certificates" . Not DANE.

Yes, my bad. The actual reference for DANE is:
https://www.imperialviolet.org/2012/10/20/dane-stapled-certificates.html

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/lgrjvk$bvb$1...@ger.gmane.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-25 Thread Peter Palfrader
On Tue, 25 Mar 2014, Wouter Verhelst wrote:

> > > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> > > standard in August 2012[1]. And DNS servers haven't support for them
> > > since recently (I'd say 6 months to 1 year).
> > 
> > DNS servers have supported them for years;  RFC3597 is over a decade old
> > by now.
> 
> RFC3597 does not specify TLSA records, it only specifies how DNS servers 
> should
> handle RRs with unknown (to them) RDATA format. It is essential to allow new
> features to be propagated over the DNS network, but it does not necessarily
> implement TLSA at the signing zone -- and that, apart from widespread
> user agent support, is a pretty critical prerequisite for actually
> starting to use DANE.

The claim was that DNS servers didn't support it.  All you need is
RFC3597 support to add TLSA records to your zone.

e.g.:
} _443._tcp.www.debian.org. IN TYPE52 \# 35 
03010124b4287bf05f884f844373ac21f5afd3f74a31881c907c1e2712248e7ade9ab1

-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140325065627.gt1...@anguilla.noreply.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Wouter Verhelst
On Mon, Mar 24, 2014 at 02:58:55PM +0100, Peter Palfrader wrote:
> On Mon, 24 Mar 2014, Adrien CLERC wrote:
> 
> > Le 24/03/2014 14:23, Raphael Geissert a écrit :
> > >> Anyway, I strongly recommend that nobody waste their time on an issue
> > >> which in a couple of years will be much less relevant thanks to DANE.
> > > If only people actually used DNSSEC and DANE - Chromium/Google Chrome 
> > > dropped 
> > > support for the latter due to the lack of use[1].
> > >
> > > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> > >
> > Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> > standard in August 2012[1]. And DNS servers haven't support for them
> > since recently (I'd say 6 months to 1 year).
> 
> DNS servers have supported them for years;  RFC3597 is over a decade old
> by now.

RFC3597 does not specify TLSA records, it only specifies how DNS servers should
handle RRs with unknown (to them) RDATA format. It is essential to allow new
features to be propagated over the DNS network, but it does not necessarily
implement TLSA at the signing zone -- and that, apart from widespread
user agent support, is a pretty critical prerequisite for actually
starting to use DANE.

-- 
This end should point toward the ground if you want to go to space.

If it starts pointing toward space you are having a bad problem and you
will not go to space today.

  -- http://xkcd.com/1133/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140324232856.ga12...@grep.be



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Adrien Clerc
Le 24/03/2014 22:18, Edward Allcutt a écrit :
> I believe you are mistaken. That blog post is about Google's own
> design for "DNSSEC stapled certificates" . Not DANE.
I figured it out after a more careful reading. I forgot about this trial
from Google, that was obviously not used enough to be useful. DANE is
not really used yet, but I think it is easier to setup.

Adrien


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5330a4d8.7020...@antipoul.fr



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Edward Allcutt

Le 24/03/2014 14:23, Raphael Geissert a écrit :

Anyway, I strongly recommend that nobody waste their time on an issue
which in a couple of years will be much less relevant thanks to DANE.

If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped
support for the latter due to the lack of use[1].

[1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html


I believe you are mistaken. That blog post is about Google's own design 
for "DNSSEC stapled certificates" . Not DANE.


On Mon, 24 Mar 2014, Peter Palfrader wrote:

DNS servers have supported them for years;  RFC3597 is over a decade old
by now.


TLSA records were defined by RFC6698, which was issued in August 2012.

--
Edward Allcutt

Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Peter Palfrader
On Mon, 24 Mar 2014, Adrien CLERC wrote:

> Le 24/03/2014 14:23, Raphael Geissert a écrit :
> >> Anyway, I strongly recommend that nobody waste their time on an issue
> >> which in a couple of years will be much less relevant thanks to DANE.
> > If only people actually used DNSSEC and DANE - Chromium/Google Chrome 
> > dropped 
> > support for the latter due to the lack of use[1].
> >
> > [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
> >
> Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
> standard in August 2012[1]. And DNS servers haven't support for them
> since recently (I'd say 6 months to 1 year).

DNS servers have supported them for years;  RFC3597 is over a decade old
by now.

> The issue with that kind of protocol is that you must trust
> your resolver, or have a resolver on your machine, bypassing any
> existing resolver cache of your network provider.

A local validating resolver is not incompatible with using your
provider's recursor (if you actually believe that buys you anything).

-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140324135855.gn1...@anguilla.noreply.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Adrien CLERC
Le 24/03/2014 14:23, Raphael Geissert a écrit :
>> Anyway, I strongly recommend that nobody waste their time on an issue
>> which in a couple of years will be much less relevant thanks to DANE.
> If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped 
> support for the latter due to the lack of use[1].
>
> [1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html
>
Lack of use? No kidding. TLSA RRs have been promoted to IETF proposed
standard in August 2012[1]. And DNS servers haven't support for them
since recently (I'd say 6 months to 1 year).
If I understood correctly, Chromium/Google Chrome only supported DNSSEC
validation. The issue with that kind of protocol is that you must trust
your resolver, or have a resolver on your machine, bypassing any
existing resolver cache of your network provider.
However, I'm using DNSSEC Validator[2] on Firefox for quite a long time,
and I'm very happy with it. I'll be glad to see it merged, so that we
can really get rid of those EV x509 certificates, and be able to provide
secure self-hosting solutions for everyone without big scary warnings.

[1]http://tools.ietf.org/html/rfc6698
[2]https://www.dnssec-validator.cz/

Have a good day,

Adrien


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/53303829.4020...@antipoul.fr



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-24 Thread Raphael Geissert
Marco d'Itri wrote:
> I suggest that anybody who wants to partecipate to this debate should
> clarify if their goal is:
> - choosing appropriate defaults for the general population of our users
> - taking a stand against the PKI system

As a co-maintainer, any email that falls in the second category is a complete 
waste of my time. "ca-certificates" is not trying, nor is the place, to solve 
the problems of the PKI system.

> Anyway, I strongly recommend that nobody waste their time on an issue
> which in a couple of years will be much less relevant thanks to DANE.

If only people actually used DNSSEC and DANE - Chromium/Google Chrome dropped 
support for the latter due to the lack of use[1].

[1]https://www.imperialviolet.org/2011/06/16/dnssecchrome.html

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/lgpbl0$ncd$1...@ger.gmane.org



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-23 Thread Marco d'Itri
I suggest that anybody who wants to partecipate to this debate should 
clarify if their goal is:
- choosing appropriate defaults for the general population of our users
- taking a stand against the PKI system

Anyway, I strongly recommend that nobody waste their time on an issue 
which in a couple of years will be much less relevant thanks to DANE.

If you want to hurt the PKI cartel^Wsystem then you should start working 
on DANE.

-- 
ciao,
Marco


signature.asc
Description: Digital signature


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-23 Thread Dmitry Smirnov
On Sun, 23 Mar 2014 08:54:20 Tollef Fog Heen wrote:
> Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/

Interesting article (thank you for link).
I just want to note that Startcom is no match to cacert.org in regards to free 
SSL certificates. Some years ago I got free certificate from Startcom but a 
year later Startcom refused to renew it for free. I understand that offering 
free certificate was their good will but they gave me no impression that I'm 
getting only trial first-year-for-free offer. It could be that their policy 
changed but these days I doubt it is possible to get free Startcom certificate 
unless for a web site which is clearly non-profit.

By the way an interesting comment was posted to #718434 lately:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#239

-- 
Cheers,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

I am easily satisfied with the very best.
-- Winston Churchill


signature.asc
Description: This is a digitally signed message part.


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-23 Thread Tollef Fog Heen
]] Dmitry Smirnov 

> On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
> > FWIW there is an article about it on
> > http://lwn.net/Articles/590879/
> 
> Thanks but LWN subscription is needed to read...

Use http://lwn.net/SubscriberLink/590879/fef0c71560078461/

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87k3blxscz@xoog.err.no



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-23 Thread Paul Wise
On Sun, Mar 23, 2014 at 3:11 PM, Dmitry Smirnov wrote:
> On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
>> FWIW there is an article about it on
>> http://lwn.net/Articles/590879/
>
> Thanks but LWN subscription is needed to read...
> (Alternatively, this item will become freely available on March 27, 2014).

As a member of Debian you have a gratis LWN subscription available:

https://www.debian.org/doc/manuals/developers-reference/resources.html#lwn

-- 
bye,
pabs

http://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6GE3NZJU9aNXH7z71o3=whp32m2xbg_u+kys-vkf2d...@mail.gmail.com



Re: ca-certificates: no more cacert.org certificates?!?

2014-03-23 Thread Dmitry Smirnov
On Sun, 23 Mar 2014 07:55:05 Andreas Metzler wrote:
> FWIW there is an article about it on
> http://lwn.net/Articles/590879/

Thanks but LWN subscription is needed to read...
(Alternatively, this item will become freely available on March 27, 2014).

-- 
Regards,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

Odious ideas are not entitled to hide from criticism behind the human
shield of their believers' feelings.
-- Richard Stallman


signature.asc
Description: This is a digitally signed message part.


Re: ca-certificates: no more cacert.org certificates?!?

2014-03-22 Thread Andreas Metzler
Dmitry Smirnov  wrote:
> I've just noticed that cacert.org certificates was removed from
> "ca-certificates" a month ago. From changelog [1]:

>* No longer ship cacert.org certificates.  Closes: #718434, LP: #1258286
[...]

FWIW there is an article about it on 
http://lwn.net/Articles/590879/
cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/73d20b-b63@argenau.downhill.at.eu.org



ca-certificates: no more cacert.org certificates?!?

2014-03-22 Thread Dmitry Smirnov
I've just noticed that cacert.org certificates was removed from
"ca-certificates" a month ago. From changelog [1]:

* No longer ship cacert.org certificates.  Closes: #718434, LP: #1258286

I'm disappointed by this decision and from #718434 I don't get
a clear picture what is wrong with cacert.org. For years we were
shipping their certificates and IMHO there should be a damn good
reason to stop doing so. I wish maintainer would state the reason for
removal in cahngelog.

Is situation with cacert.org certificates dramatically worsened lately?
Any security flaws were discovered?
What we're gaining from dropping their certificates?

Did we notify cacert.org about our intentions to drop their certificates?
What were their comments? Did they provide time frame to address our concerns?

Cacert.org web of trust model is very similar to ours. To me it is
essentially more trustworthy than what for-profit CAs offer.
Cacert.org (as the only non-profit community managed CA) needs our support.
How dropping cacert.org certificates is going to benefit our communities?

The following comment highlight some benefits of providing cacert.org
certificates:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#209

I want cacert.org certificates to raise no warning in browsers. This way we
can encourage use of cacert.org certificates as alternative to self-signed
certificates and therefore promote the use of HTTPS.
Users are supposed to check certificate properties for encrypted connections
if/when they want to check certificate authenticity. I think dropping
cacert.org did more harm than good. Perhaps it's better to promote packages like
"xul-ext-certificatepatrol" rather than punish cacert?
After all I'm sure cacert.org team is doing their best just like we all do
in Debian.

[1]: 
http://metadata.ftp-master.debian.org/changelogs/main/c/ca-certificates/unstable_changelog

-- 
Cheers,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

The most fatal blow to progress is slavery of the intellect. The most
sacred right of humanity is the right to think, and next to the right to
think is the right to express that thought without fear.
-- Helen H. Gardner, "Men, Women and Gods"


signature.asc
Description: This is a digitally signed message part.