Subject: CAcert Code Development list.
List archive
- From: Benny Baumann <benbe AT cacert.org>
- To: onlyjob AT debian.org
- Cc: Developers CAcert <cacert-devel AT lists.cacert.org>, Benedikt Heintel <benedikt AT cacert.org>
- Subject: Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package
- Date: Sun, 24 May 2015 11:30:01 +0200
Hi Dmitry,
Am 23.05.2015 um 01:56 schrieb Dmitry Smirnov:
> Hi,
>
> I just want to let you all know that CAcert root certificates were re-
> introduced to Debian by the "ca-cacert" package:
>
> https://tracker.debian.org/pkg/ca-cacert
>
Saw the news in the Debian PTS and FTP archives.
> Hence it would be great if somebody could update wiki:
>
> https://wiki.cacert.org/FAQ/ImportRootCert#Debian
>
In the current form of the packages I still have some minor issues with
the package.
https://sources.debian.net/src/ca-cacert/2011.0523-1/debian/control/
Line 19: Should read "Root certificate_s_ allow-s- SSL-based
applications [...]"
Lines 34f: I'd suggest "Please note that Debian's inclusion of CAcert
does not imply that any audit according to RFC 3647 or similar standards
has been completed."
NB: "Auditing for trustworthiness" does not - as widely believed - say
anything about the trust and reliance a user can put into issued
certificates. Trust isn't something you certify, but something you have
to earn. Thus our primary goal is less to be "audited for
trustworthiness" but to complete an audit for acceptance in browsers as
an additional indication for people to decide if they trust us.
Also a note on the way the source package is generated: Please include a
check to verify the downloaded files. Even if you aren't verifying the
connection (BTW: The files are accessible on HTTP too) you should
include at least a fingerprint for the root to verify downloaded files.
Other means (like accessing verifiable fingerprints via DNSSEC) might
become available soon (needs discussion with our critical admin team).
Also please note the disclaimer in section 4 of the CAcert RDL and the
obligations specified in section 3. While members of CAcert should be
aware of this I think the current package is lacking a proper
implementation to ensure that EVERY user is made aware of these
clauses/conditions.
> Thanks.
>
Thanks for creating the package.
Regards,
Benny Baumann
CAcert Software Assessment Team
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/24/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/24/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Benny Baumann, 05/25/2015
- Re: CAcert root certificates re-introduced to Debian as "ca-cacert" package, Dmitry Smirnov, 05/24/2015
Archive powered by MHonArc 2.6.18.