On 02/04/14 05:44 AM, Neal Oakey wrote:
Hi all,
because I can't send this to the arch-dev-public mailing list I will send this here:
In my opinion, only because Debian drops the support for something this doesn't mean that we should do the same.
And if you look at the Bugreport you will notice that the Information on which Debian is basing their argumentation is old.
For more current information you can see: (sorry I know it's on German) http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-21...
Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so detailed, but should be up to date.
Greetings, Neal
Mozilla and Debian have both explicitly rejected including CAcert as a certificate authority Mozilla requires an audit by an unbiased third party in order to show a reasonable proof of security. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs... If and when CAcert ever gets their act together and is able to pass an audit, Mozilla will likely include it. Until then, there are plenty of other certificate authorities with free certificates that are also included in every major browser / operating system. For example: https://www.startssl.com/?app=1 It certainly doesn't help that CAcert seems to be a pile of PHP written in a dialect with little hope of stopping SQL injection, as they're manually building statements and escaping.