Hi, well until now all of this wasn't a problem, so why has it now become one? And well if you have a look at startssl, well they may be offering free certs but only single domain and just use the plain "things". * It doesn't allow commercial usage * "only" valid for 1 year * located in Israel (don't know if this should be good or bad) There maybe still quite a few things that have to be worked on at CAcert but still I currently would say, that I rather trust CAcert signed certs than any other. I mean look at all this fuckup that these firms are doing: ... some have been removed already: * Revoking Trust in one ANSSI Certificate (*.google.com) * Revoking Trust in Two TurkTrust Certificates (*.google.com) * Revoking Trust in DigiCert Sdn. Bhd Intermediate Certificate Authority (week certs) * Fraudulent *.google.com Certificate ... => DigiNotar Removal Follow Up * Firefox Blocking Fraudulent Certificates ... => Comodo Certificate Issue -- Follow Up ... but I still see many problems: * Chromium still has (all|many) of the cert, which I listed above * still including many 1024 bit keys! (*1) * to many CAs have issued other RootCA (like for e.g.: Tekecom > DFN > every fucking university in Germany (*2)) * and how far we still can trust CAs from America, where the NSA seams to be fiddling around in the security of all important firms, I can't really say *1:
/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt: 1024 bit /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt: 1024 bit /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt: 1024 bit /usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_1.crt: 1024 bit /usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt: 1024 bit /usr/share/ca-certificates/mozilla/NetLock_Business_=Class_B=_Root.crt: 1024 bit /usr/share/ca-certificates/mozilla/NetLock_Express_=Class_C=_Root.crt: 1024 bit /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt: 1024 bit /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt: 1024 bit /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt: 1024 bit
*2: if you ask me, this is just waiting for miss usage, as every university (or person which could get access to there CAs) in Germany could issue a cert for [your-bank.com] Greetings, Neal Am 02.04.2014 14:20, schrieb Daniel Micay:
Hi all,
because I can't send this to the arch-dev-public mailing list I will send this here:
In my opinion, only because Debian drops the support for something this doesn't mean that we should do the same.
And if you look at the Bugreport you will notice that the Information on which Debian is basing their argumentation is old.
For more current information you can see: (sorry I know it's on German) http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-21...
Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so detailed, but should be up to date.
Greetings, Neal Mozilla and Debian have both explicitly rejected including CAcert as a certificate authority Mozilla requires an audit by an unbiased third
On 02/04/14 05:44 AM, Neal Oakey wrote: party in order to show a reasonable proof of security.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs...
If and when CAcert ever gets their act together and is able to pass an audit, Mozilla will likely include it.
Until then, there are plenty of other certificate authorities with free certificates that are also included in every major browser / operating system. For example:
https://www.startssl.com/?app=1
It certainly doesn't help that CAcert seems to be a pile of PHP written in a dialect with little hope of stopping SQL injection, as they're manually building statements and escaping.