On 07/31/2013 20:06, Ansgar Burchardt wrote: > I'm wondering if Debian really should include CAcert.org root certificates: [...] > And last but not least: while CAcert.org publishes the source code of > their system[5] (good), looking at it does not make me trust it (it > causes the opposite effect)... > > [5] <http://www.cacert.org/src-lic.php> > > This probably also affects Iceweasel and maybe other browsers as well.
I actually filed this report after finding several issues in the CAcert code. There are some good ideas, for example the private key is stored on a machine not connected to the internet, and of course publishing the source code for their software is always good. However looking at the code for a few hours I found several issues, including arbitrary code injection (which should allow getting any certificate signed you want, but no direct access to the private key). One example is [1], but there is at least one more. Ansgar PS: I would prefer if discussion about the SPI certificate was kept seperate. [1] <http://git-cacert.it-sls.de/cgi-bin/gitweb.cgi?p=cacert-devel.git;a=commitdiff;h=8fa82f2cbd17e3f32a537cd405b01d6b6c623ea0> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org