[arch-general] [arch-dev-public] CAcert dropped from certificate bundle

Daniel Micay danielmicay at gmail.com
Wed Apr 2 08:20:58 EDT 2014


On 02/04/14 05:44 AM, Neal Oakey wrote:
> Hi all,
> 
> because I can't send this to the arch-dev-public mailing list I will
> send this here:
> 
> In my opinion, only because Debian drops the support for something this
> doesn't mean that we should do the same.
> 
> And if you look at the Bugreport you will notice that the Information on
> which Debian is basing their argumentation is old.
> 
> For more current information you can see: (sorry I know it's on German)
> http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-2156226.html
> 
> Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so
> detailed, but should be up to date.
> 
> Greetings,
> Neal

Mozilla and Debian have both explicitly rejected including CAcert as a
certificate authority Mozilla requires an audit by an unbiased third
party in order to show a reasonable proof of security.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

If and when CAcert ever gets their act together and is able to pass an
audit, Mozilla will likely include it.

Until then, there are plenty of other certificate authorities with free
certificates that are also included in every major browser / operating
system. For example:

https://www.startssl.com/?app=1

It certainly doesn't help that CAcert seems to be a pile of PHP written
in a dialect with little hope of stopping SQL injection, as they're
manually building statements and escaping.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140402/5e170410/attachment.asc>


More information about the arch-general mailing list