[arch-general] [arch-dev-public] CAcert dropped from certificate bundle

Neal Oakey neal.oakey at googlemail.com
Wed Apr 2 11:31:05 EDT 2014


Hi,

well until now all of this wasn't a problem, so why has it now become one?


And well if you have a look at startssl, well they may be offering free
certs but only single domain and just use the plain "things".

  * It doesn't allow commercial usage
  * "only" valid for 1 year
  * located in Israel (don't know if this should be good or bad)


There maybe still quite a few things that have to be worked on at CAcert
but still I currently would say,
that I rather trust CAcert signed certs than any other.


I mean look at all this fuckup that these firms are doing:

... some have been removed already:

  * Revoking Trust in one ANSSI Certificate (*.google.com)
  * Revoking Trust in Two TurkTrust Certificates (*.google.com)
  * Revoking Trust in DigiCert Sdn. Bhd Intermediate Certificate
    Authority (week certs)
  * Fraudulent *.google.com Certificate ... => DigiNotar Removal Follow Up
  * Firefox Blocking Fraudulent Certificates ... => Comodo Certificate
    Issue -- Follow Up

... but I still see many problems:

  * Chromium still has (all|many) of the cert, which I listed above
  * still including many 1024 bit keys! (*1)
  * to many CAs have issued other RootCA (like for e.g.: Tekecom > DFN >
    every fucking university in Germany (*2))
  * and how far we still can trust CAs from America, where the NSA seams
    to be fiddling around in the security of all important firms, I
    can't really say



*1:
> /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt: 1024 bit
> /usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_1.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/NetLock_Business_=Class_B=_Root.crt: 1024
> bit
> /usr/share/ca-certificates/mozilla/NetLock_Express_=Class_C=_Root.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt: 1024 bit
> /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt: 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt:
> 1024 bit
> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt:
> 1024 bit

*2:
if you ask me, this is just waiting for miss usage, as every university
(or person which could get access to there CAs) in Germany could issue a
cert for [your-bank.com]


Greetings,
Neal

Am 02.04.2014 14:20, schrieb Daniel Micay:
> On 02/04/14 05:44 AM, Neal Oakey wrote:
>> Hi all,
>>
>> because I can't send this to the arch-dev-public mailing list I will
>> send this here:
>>
>> In my opinion, only because Debian drops the support for something this
>> doesn't mean that we should do the same.
>>
>> And if you look at the Bugreport you will notice that the Information on
>> which Debian is basing their argumentation is old.
>>
>> For more current information you can see: (sorry I know it's on German)
>> http://www.heise.de/netze/meldung/CAcert-reagiert-auf-Zertifikatsrauswurf-2156226.html
>>
>> Or http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE which isn't so
>> detailed, but should be up to date.
>>
>> Greetings,
>> Neal
> Mozilla and Debian have both explicitly rejected including CAcert as a
> certificate authority Mozilla requires an audit by an unbiased third
> party in order to show a reasonable proof of security.
>
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
>
> If and when CAcert ever gets their act together and is able to pass an
> audit, Mozilla will likely include it.
>
> Until then, there are plenty of other certificate authorities with free
> certificates that are also included in every major browser / operating
> system. For example:
>
> https://www.startssl.com/?app=1
>
> It certainly doesn't help that CAcert seems to be a pile of PHP written
> in a dialect with little hope of stopping SQL injection, as they're
> manually building statements and escaping.
>



More information about the arch-general mailing list