On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <ri...@gentoo.org> wrote: > The certificates that Gentoo distributes have at least been vouched > for by somebody who is a part of our community, which is more than can > be said for most of the upstream certificates.
And you think "vouched for" by some community member is better than Mozilla's audit process, however limiting it may be? Yes, the CA system is broken, but it's what we've got for now. It seems obvious that including fewer CA roots in our base package is a better solution than including more of them, since (a) it's pretty easy for our users to install more of them, including at scale (via an overlay), and (b) actual security of a CA probably goes down exponentially as you move towards CA's with a lower level of trust placed in them by organizations like Mozilla. Speaking of which, say what you will about Mozilla's broken criteria for root inclusion, but Mozilla has no commercial interests, pretty competent security staff, and is already spending lots of staff time at managing their selection of CA roots. So I think we could do worse than tracking them closely (and in fact, I'd say we *are*, currently doing just that -- doing worse). IMO it would probably be good to limit our CA roots to Mozilla's libnss selection by default and perhaps add a packaged selection of secondary CA's (like CACert) for those who are so inclined. And if Debian's process is somewhat broken, it might be best to try not to rely on them. It can't be too hard, if Mozilla is already packaging the certificates somehow. Cheers, Dirkjan
