On Tue, Jan 1, 2013 at 5:51 AM, Dirkjan Ochtman <d...@gentoo.org> wrote: > On Tue, Jan 1, 2013 at 1:44 AM, Rich Freeman <ri...@gentoo.org> wrote: >> The certificates that Gentoo distributes have at least been vouched >> for by somebody who is a part of our community, which is more than can >> be said for most of the upstream certificates. > > And you think "vouched for" by some community member is better than > Mozilla's audit process, however limiting it may be?
Yes. It certainly is no worse. To date I'm not aware of a single security incident involving a certificate introduced by a Gentoo maintainer, but I'm certainly aware of a few involving Mozilla-originated certs. > (b) actual security of a CA probably goes down > exponentially as you move towards CA's with a lower level of trust > placed in them by organizations like Mozilla. Care to substantiate that claim? The fact that Mozilla trusts a certificate does not confer security in and of itself. > IMO it would probably be good to limit our CA roots to Mozilla's > libnss selection by default and perhaps add a packaged selection of > secondary CA's (like CACert) for those who are so inclined. And if > Debian's process is somewhat broken, it might be best to try not to > rely on them. It can't be too hard, if Mozilla is already packaging > the certificates somehow. I've yet to see any evidence that Debian's process is broken. There is simply the claim that Mozilla's process is somehow better. I could see the logic in requiring regular Gentoo audits for any certificates we bundle, in which case we likely wouldn't be bundling any certificates at all (and would be stripping any provided by upstream). However, the only thing following the Mozilla process ensures is that a few commercial entities make lots of money (even if Mozilla isn't one of them). For a company with deep pockets like Mozilla I can see why they do this - even if it provides no security they can just say they're doing what everybody else is doing and it will likely hold up in court. The appearance of security matters more than actual security to them. Rich
