>>>>> Bas Wijnen <wij...@debian.org> writes: >>>>> On Thu, Mar 13, 2014 at 01:03:23PM +0000, Michael Shuler wrote:
>> * No longer ship cacert.org certificates. Closes: #718434, LP: >> #1258286 […] > Yes, I understand that CAcert's code and procedures are less secure > than they should be. I don't care. First priority is to get the web > encrypted. Trusted certificates is secondary. As long as browsers > don't reasonably allow self-signed certificates, I think we should > accept any and all certificates as trustworthy; certainly the ones > from a community-driven CA. (As noted, the current selection doesn't > seem to filter for security anyway.) There’re two issues with that. First of all, accepting some “random” certificates may give the users some false sense of security. Then, I’d like to note that a compromised CA may very well be used to issue an “example.com” certificate /even though/ example.com may already have a valid certificate from some other (non-compromised) CA? And the TLS-enabled user agents generally have no means to discern such “fake” certificate from the “genuine” one. That is: the security of the Web is essentially the security of /the least secure/ CA of those one trusts. … That being said, could someone please remind me when Debian has itself passed a security audit for the last time? Or, scratch that, – when it was the last time the TLS-related Debian binary packages were audited? (And sorry, “related” also means the entire GNU toolchain – GCC, etc. – since you can’t really trust a binary produced by a compromised compiler, can you?) TIA. -- FSF associate member #7257 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org