On 03/14/2014 06:14 PM, Pierre Schmitz wrote:
Hi all,
Debian has decided to drop the root certificate of CAcert.org they used to ship with their ca-certificates package. As our pacakge is based on Debian's the latest ca-certficates package in [testing] also lack the CAcert certificate.
If we intent to keep it that way we should also remove the patch from our nss package: https://projects.archlinux.de/svntogit/packages.git/tree/trunk/add_spi+cacer...
The Debian bug report can be found at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434
I added the certs to our bundles in 2009. Unfortunately there is no visible progress regarding their inclusion in browsers from Mozilla, Google and Microsoft.
Realistically I cannot vouch for any of the CAs we ship. That's one reason why we push that responsibility upstream to e.g. the Debian project or Mozilla.
What do you think? Imho we should keep follow Debian here. Other solutions would be to patch it back in or ship a separate optional package; though that might be impossible for nss.
Greetings,
Pierre
Seems that Debian can't vouch for its CAs either… However it's not hard to obtain a legitimate free SSL certificate from StartSSL or GlobalSign, so let's keep following Debian in that matter. Users still can import CACert root certificate on their own. -- Bartłomiej Piotrowski http://bpiotrowski.pl/