Hi,
Debian is considering removing CAcert.org from its root certificate
package for a couple of reasons:
- It has not passed the standard Webtrust audit needed for inclusion in
the major vendors' CA bundles (Mozilla, Google, Apple, MS, ...)
- It has a history of serious security issues that seem to be systemic to
the implementation, and there doesn't seem to be a serious emphasis on
code security.
- There are allegedly licensing issues associated with redistributing the
root.
- It does not seem to be compliant with current CA/Browser Forum best
practices for security. (CAcert.org is not a member of the CA/Browser
Forum.)
I think it makes sense for OpenBSD to do the same.
Take a look at http://bugs.debian.org/718434 for the discussion. In
particular, please note Ansgar Burchardt's email from September 16
identifying a shell injection vulnerability in CAcert's signing code
(allowing, among other things, arbitrary certificates to be signed), and
please note the general quality of that codebase....
I think Debian and downstream users of its root certificate bundle are
probably the largest population trusting CAcert.org. That is, still, a
fairly small population, and I've made some arguments in that bug report
(see my post at the bottom) why it specifically doesn't make sense for a
small population to trust an additional root certificate that isn't widely
trusted.
Furthermore, Debian's root certificates package is explicitly documented
(in the package description, see
http://packages.debian.org/sid/ca-certificates for example) as just being
a collection of certificates with no particular statement as to whether
those certificates are trustworthy to be root certs. I couldn't find a
clear policy about the inclusion of certificates in OpenBSD's cert.pem,
but note that most other distributions (including Fedora and FreeBSD) have
decided that they want a useful package of default root certificates, and
so they've outsourced the decision to an external entity (generally
Mozilla) that runs an acceptance program involving audits. No such entity
has accepted CAcert. See for instance FreeBSD's deprecation of carrying
their own ca-roots port:
http://www.freshports.org/security/ca-roots/
OpenBSD's inclusion of CAcert is inevitably going to be interpreted as a
statement of trust in CAcert as a certificate authority by the OpenBSD
project. See for instance this discussion:
http://issues.foresightlinux.org/jira/browse/FL-1458
--
Geoffrey Thomas
http://ldpreload.com
geo...@ldpreload.com
