Hi all,
(replying for myself, not any organisation.)
I wasn't aware of this debate, but now that it is closed, maybe it is
helpful to put some context on it.
The essential decision you have to take, and have taken is this:
Follow Mozilla's lead, or not?
Having taken it, I can say two
Hi Thomas--
Thanks for the time and consideration you've put into this discussion,
and for your clarifying remarks.
On 03/14/2014 01:31 AM, Thomas R. Koll wrote:
In a nutshell, if you want CACert to be re-added you must prove
CACert and its infrastructure is trustworthy.
Something CACert has
Hi Thomas,
Thomas R. Koll wrote:
In a nutshell, if you want CACert to be re-added you must prove
CACert and its infrastructure is trustworthy.
That's IMHO the wrong check for inclusion.
As I already wrote in my initial mail (you should have read it
fully... ;-), I suggest to include but
Hi Daniel,
On 14 March 2014 07:07, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
On 03/14/2014 01:31 AM, Thomas R. Koll wrote:
[your thoughts on the CA ecosystem]
Thanks for sharing your opinion.
ca-certificates didn’t have much of a policy until recently, but giving that
a good, secure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Fr den 14. Mär 2014 um 6:31 schrieb Thomas R. Koll:
Am 13.03.2014 um 17:21 schrieb Christoph Anton Mitterer
cales...@scientia.net:
I doubt that the removal of CAcert was a good decision?
I wish you would have read the whole the bug
Am 14.03.2014 um 10:54 schrieb Klaus Ethgen kl...@ethgen.ch:
In a nutshell, if you want CACert to be re-added you must prove
CACert and its infrastructure is trustworthy.
Something CACert has attempted but even their internal audits have failed.
Well, CAcert is not more or less
On Fri, 2014-03-14 at 06:31 +0100, Thomas R. Koll wrote:
In a nutshell, if you want CACert to be re-added you must prove
CACert and its infrastructure is trustworthy.
Something CACert has attempted but even their internal audits have failed.
Well but to be honest... that is plain stupid and
On Fri, 2014-03-14 at 09:59 +0100, Raphael Geissert wrote:
We are closely watching the transition from SPI certificates to the
ones provided by Gandi.
Which btw is another really bad idea...
Debian should have it's own CA (if X.509 is used in places to secure
it's services)... and that CA should
On Fri, 2014-03-14 at 11:22 +0100, Thomas R. Koll wrote:
Those certificates packaged by and copied over from Mozilla do fullfil their
policy which can be found here:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
In the inclusion section your can find a
I doubt that the removal of CAcert was a good decision...
We include such doubtful CAs as CNNIC, TURKTRUST, and all the
(ultimately) NSA controlled US-based CAs... so whether the audit of
CAcert looks promising now or not does not really matter that much, if
you compare it to the others.
And we
Hi,
Christoph Anton Mitterer wrote:
I doubt that the removal of CAcert was a good decision...
A quite bad decision in my view, too.
Already having CAcert root certificiates in the right place over
really trusted ways (secure apt) is^Wwas one of Debian's cooler
features.
So thanks Chris for
Hi,
On Thursday 13 March 2014 23:09:48 Axel Beckert wrote:
Christoph Anton Mitterer wrote:
I doubt that the removal of CAcert was a good decision...
A quite bad decision in my view, too.
Thanks for sharing your thoughts.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org -
On 03/13/2014 06:09 PM, Axel Beckert wrote:
The administrator of a machine can easily disable certificiates he
doesn't trust, but only if they are included in ca-certificates.
So if it helps including CAcert's root certificates again in
ca-certificates, please include them, but disable them
On Thu, 2014-03-13 at 23:09 +0100, Axel Beckert wrote:
With the exception that you think that ca-certificates
is merely the Mozilla CA package
Well of course I know that the Mozilla/NSS packages (iceweasel, etc.pp.)
do actually not even use ca-certificates... but looking at it, the only
Hi Chris,
Christoph Anton Mitterer wrote:
On Thu, 2014-03-13 at 23:09 +0100, Axel Beckert wrote:
With the exception that you think that ca-certificates
is merely the Mozilla CA package
Well of course I know that the Mozilla/NSS packages (iceweasel, etc.pp.)
do actually not even use
Am 13.03.2014 um 17:21 schrieb Christoph Anton Mitterer cales...@scientia.net:
I doubt that the removal of CAcert was a good decision…
I wish you would have read the whole the bug report, especially the history
of how the CACert root certificate came into ca-certificates.
Hi Daniel,
On Saturday 07 December 2013 01:21:52 Daniel Kahn Gillmor wrote:
can we ship CAs marked as disabled by default? my impression is that
every CA shipped in ca-certificates right now is enabled automatically
unless the user has debconf's priority set to be more verbose than the
On 12/07/2013 07:54 AM, Raphael Geissert wrote:
On Saturday 07 December 2013 01:21:52 Daniel Kahn Gillmor wrote:
The other way to maintain the same CA set is for Someone™ to fix #704180
While I like that solution (having to modify nss to add/remove certs is a
PITA), I wonder how trust
I just wanted to include a reply on this bug that I have been reading
the responses as they have been posted. I appreciate the feedback and
I'm still pretty torn, to be honest.
#1 - Debian does not distribute CAcert's web site code, so while the
question about its quality is technically
I just wanted to include a reply on this bug that I have been reading
the responses as they have been posted. I appreciate the feedback and
I'm still pretty torn, to be honest.
#1 - Debian does not distribute CAcert's web site code, so while the
question about its quality is technically
On 12/06/2013 07:13 PM, Michael Shuler wrote:
#2 - All CAs included in ca-certificates are available to have the trust
turned off. If you have a concern about a particular CA and do not
trust them, disable that CA.
can we ship CAs marked as disabled by default? my impression is that
every CA
On 12/06/2013 06:21 PM, Daniel Kahn Gillmor wrote:
can we ship CAs marked as disabled by default?
I think this would prove to be a rather severe disservice to Debian
users, making all SSL connections fail for all software that is or
depends on one of the reverse dependencies of
On 12/06/2013 08:11 PM, Michael Shuler wrote:
On 12/06/2013 06:21 PM, Daniel Kahn Gillmor wrote:
can we ship CAs marked as disabled by default?
I think this would prove to be a rather severe disservice to Debian
users, making all SSL connections fail for all software that is or
depends on
On 16 November 2013 17:09, Thijs Kinkhorst th...@debian.org wrote:
[...]
This seems like an unlikely scenario, as CAcert is not enabled by default
in Debian's most used browsers, Iceweasel (Firefox) and Chromium.
I believe it is:
clone 718434 -1
reassign -1 libnss3
retitle -1 nss: Please remove CAcert.org roots
thanks
On Thu, 5 Dec 2013, Raphael Geissert wrote:
On 16 November 2013 17:09, Thijs Kinkhorst th...@debian.org wrote:
[...]
This seems like an unlikely scenario, as CAcert is not enabled by default
in Debian's
On Wed, November 13, 2013 19:48, Geoffrey Thomas wrote:
I'm curious what the status of this bug is -- is there a plan to remove
CAcert in the next upload?
Thanks for your interest. A final decision still has to be made. However,
I think enough information and arguments have been gathered by
I'm curious what the status of this bug is -- is there a plan to remove
CAcert in the next upload?
As far as I can tell, the only CA certificate sources making an active
decision to ship CAcert are Debian, Mageia, and OpenBSD. All other
OSes/distributions that do ship CAcert by default and
Hi Tom,
On Sun, September 15, 2013 01:16, Thomas R. Koll wrote:
But I just found one request that was official (msg #20), Venzuela's
Suscerte
and I also see that in #37 you've referred them to Mozilla.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609942#20
It is a double standard that
Am 16.09.2013 um 11:46 schrieb Thijs Kinkhorst th...@debian.org:
On Sun, September 15, 2013 01:16, Thomas R. Koll wrote:
But I just found one request that was official (msg #20), Venzuela's
Suscerte
and I also see that in #37 you've referred them to Mozilla.
On 07/31/2013 20:06, Ansgar Burchardt wrote:
I'm wondering if Debian really should include CAcert.org root certificates:
[...]
And last but not least: while CAcert.org publishes the source code of
their system[5] (good), looking at it does not make me trust it (it
causes the opposite
This already went to Michael only, sorry I kept the rest of you out
by mistake.
Yes Michael, facts, that's the one thing this whole issue is missing.
Just read the request to add CACert into mozilla-firefox
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309564
Yes, this is was a request to
Hi,
I recently had to read into CACert, wether they are a good
and practical thing to use for https ssl certificates,
with browers red warning messages and what not.
During my research I just stumbled across this bugreport
and like to contribute my ¢2.1
I don't think the other discussion on
On 09/14/2013 12:15 PM, Thomas R. Koll wrote:
..lots!..
I appreciate you adding some good details and your thoughts to this bug
report, Thomas.
--
Kind regards,
Michael Shuler
signature.asc
Description: OpenPGP digital signature
Package: ca-certificates
Severity: important
I'm wondering if Debian really should include CAcert.org root certificates:
The CAcert.org root certificates are only included by a small number of
vendors[1]. No major web browser (Mozilla, Chrome, IE, ...) includes
them by default.
[1]
In addition, I had an email conversation (link to thread is escaping me,
at the moment) about removal due to their license statement [0] that
You are bound by the Root Distribution Licence for any re-distributions
of CAcert's roots. [1].
I was convinced by others that the certificates cannot be
On 07/31/2013 01:55 PM, Michael Shuler wrote:
In addition, I had an email conversation (link to thread is escaping me,
at the moment) about removal due to their license statement [0] that
You are bound by the Root Distribution Licence for any re-distributions
of CAcert's roots. [1].
That
36 matches
Mail list logo