[cc += sugar-de...@] On Thu, 2009-07-02 at 10:25 +0200, Sascha Silbe wrote: > On Thu, Jul 02, 2009 at 06:31:13AM +0200, Bernie Innocenti wrote: > > > And even then, rather than paying the pizzo (*) to the SSL mafia, we > > coul create our own Sugar Labs CA and install our certificate in the > > bundle used by Browse. IIRC, OLPC was also doing this. > What about including the CACert one instead? > > Sure, they're having (organisational) trouble again, but to be honest I > nevertheless trust them way more than any commercial CA.
I used to trust them more, but many others are pulling the CACert certificate from their bundles because it finally got audited for security and *failed* to demonstrate sufficiently secure procedures for master key handling. Frankly, I'm very disappointed in CACert: this auditing saga has been going on for *ages* without good communication on their side. What's missing now? What's the ETA for it? By giving everybody the expectation they will become *the* free accredited CA soon, they're preventing others from doing the same for real. I'm sure they'd promptly help CACert if they needed money, hardware, voluteers, software development.. *anything!* I don't know what to think: SSL mafia conspiracy or CACert incompetence? > BTW: Does Browse fall back to the system supplied CAs (/etc/ssl/certs)? > Debian already includes CACert and IIRC some others as well. I'm pretty sure Firefox only uses its own separate bundle in Debian, because its strict branding policy certainly demands not altering the list of trusted CAs who have been going trough an expensive corrup^H^H^H^H^H^Hvalidation process demanded by the Mozilla Foundation. One can still choose any CA they like in the bundles used by Iceweasel or Browse. -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ _______________________________________________ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel