CAcert System Admins discussion list

[Dmitry Smirnov <onlyjob AT member.fsf.org>]

On Mon, 25 May 2015 02:23:10 Benny Baumann wrote:
> Make it
> 
>     Please note that CAcert may not _yet_ comply with RFC 3647 or
> similar standards.
> 
> and I'm fine with it!

Done, thank you. :)

https://anonscm.debian.org/cgit/collab-maint/ca-cacert.git/commit/?id=af580e82


> As gpg is usually available you can include the long fingerprint of the
> GnuPG key, fetch that key from a key server, verify the received key has
> the proper fingerprint, download the index.php?id=3 and grep for the PGP
> block. Within that block you find the fingerprints of the class 1 and
> class 3 roots. extracting those fingerprints from the verified signature
> block allows comparing them for the calculated fingerprints of the
> downloaded files.

I do not have enough GPG skills to do that. Examples/patches are welcome if 
you wish to provide a starting point.


> Maybe add things like verifying downloads are valid X.509
> certificates. Also include check for class3 is signed by the root ;-)

Examples how to do that please? Isn't `certtool --verify` already check for 
X.509 validity? I reckon it returns error when it fails to parse X.509...


> I did not say that the current implementation violated the licence, just
> remarked on the implication therein. Yet it would be preferable if such
> a notice could be displayed (even non-interactive) upon install.
> 
> The part to take note of is not the reproduction of the licence (that's
> default and implemented by putting it into the filesystem according to
> FHS), but the limited liability and reliance you should be aware of as
> relying party/user. Especially combined with lines 34f this might
> warrant bringing it to the attention of at least the administrator of a
> system.

I do not see that as necessary. Some time ago when CAcert root certificates 
were shipped in "ca-certificates" package there were no additional notes 
displayed. Neither Mozilla did that back than nor Icedove does so these days.

Besides "ca-certificates" were often quietly pulled as dependency. 
"ca-cacert" 
will be manually installed by systems administrator and (s)he presumably 
understands implications of installing root certificate of a CA. Also we do 
not want to bother with disclaimer translations and I certainly do not want 
to 
introduce precedent. As I've said disclaimers of responsibility are present 
in 
pretty much all free software licenses (except Public Domain which is not a 
license) and there were never need to display (non-interactive) disclaimer on 
package installation. Also some packages contain components licensed by many 
different licenses and it is just not practical to display all disclaimers in 
every package.

I understand how special CAcert is but in the past no packages seems to ever 
show an additional disclaimer for CAcert root certificates. I could include 
disclaimer to README.Debian file but that would be just a duplication that 
adds little to the usefulness of the package.

-- 
Regards,
 Dmitry Smirnov
 GPG key : 4096R/53968D1B

---

No person, no idea, and no religion deserves to be illegal to insult,
not even the Church of Emacs.
        -- Richard Stallman

Attachment: signature.asc
Description: This is a digitally signed message part.