Bug 74290

Summary: Include CAcert root certificate
Product: [Unmaintained] kio Reporter: Kjetil Kjernsmo <kjetil>
Component: ksslAssignee: George Staikos <staikos>
Status: CLOSED INTENTIONAL    
Severity: wishlist CC: brainstorm, bruno+mozilla, duane, evaldo, goldenear, jkt, kai.kasurinen, kde, manfred, matija, matthewa, projects.gg.aaron, rich, sam, Sascha-bugs.kde.org, support, trejkaz
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Kjetil Kjernsmo 2004-02-05 22:51:23 UTC
Version:            (using KDE KDE 3.2.0)
Installed from:    Debian stable Packages
OS:          Linux

There exists a free CA that will issue needed certificates to anyone free of charge, namely cacert.org. I'd like to see their root certificate included in kssl, so that using this free resource becomes more feasible. Check out 
 http://www.cacert.org/

It is looking like the root certificate is about to enter Mozilla, and while that's not very relevant to KDE per se, it is worth checking out the Mozilla bug for a discussion of good reasons to include this root certificate:
http://bugzilla.mozilla.org/show_bug.cgi?id=215243
Comment 1 Duane 2004-02-22 12:50:51 UTC
It's also relivant to view the news://news.mozilla.org/netscape.public.mozilla.crypto newsgroup as well, as the discussion moved from their bug to the news discussion.
Comment 2 George Staikos 2004-04-22 23:38:37 UTC
Afaik Mozilla has still not accepted it, and I don't have enough information or resources to accept it yet either.  This will have to wait until one of the two aforementioned situations change.
Comment 3 Duane 2004-04-23 00:49:25 UTC
What information do you require?
Comment 4 Ismail Donmez 2004-07-02 06:55:55 UTC
Check http://www.onlamp.com/pub/wlg/5142 . Lets fix this bug.
Comment 5 George Staikos 2004-07-28 21:06:59 UTC
Still not in IE or Mozilla?
Comment 6 Kjetil Kjernsmo 2004-07-28 21:31:40 UTC
Nope. 

I think we can forget about IE. With IE, it is just about the stamp from American Institute of Certified Public Accountants, which is expensive. Mozilla Foundation may develop an independent policy, which KDE may or may not want to follow. I don't know the status of that work. 

It is definately a policy question this, so it is possible that the KDE Project should formulate its own policy, but it is a difficult issue. 
Comment 7 Kjetil Kjernsmo 2004-07-28 21:38:17 UTC
*** This bug has been confirmed by popular vote. ***
Comment 8 George Staikos 2004-08-07 00:39:39 UTC
Based on discussions with people involved in CAcert, we have decided that this won't happen.  There are apparently transparency problems with this "open" CA.

http://article.gmane.org/gmane.comp.security.cacert/1378
http://article.gmane.org/gmane.comp.security.cacert/1186

I consider this case closed.
Comment 9 Erwin Rennert 2004-10-12 10:05:52 UTC
Ahem, two months have passed, and I believe many of the "transparence problems" have since been resolved.

A new board has been elected and the code on which cacert.org is based has been opened for inspection. while cryptography is an especially sensitive issue at all times, and transparency always is a main issue in cryptography; just how transparent are institutions such as verisign and thawte? *Can We Trust Them?*

I would like to ask the more knowledgable than myself to re-inspect the situation at cacert.org and re-open this case
Comment 10 Evaldo Gardenali 2005-06-15 19:50:38 UTC
As of 20050518, CAcert is included in debian ca-certificates package, as shown in http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20050518/changelog
[quote] add CACert.org's Root CA closes: Bug#213086, Bug#288293 [/quote]

Getting accepted by debian might mean something about trust.

Also, about Comment #9, these links are handy:
http://www.verisign.com/developer/notice/authenticode/index.html
http://www.eweek.com/article2/0,1759,1767871,00.asp

And surprisingly:
http://www.benedelman.org/spyware/images/installers-020305.html

Paying for certificates does not add extra security, it seems :)
Comment 11 Trejkaz Xaoza 2005-09-14 00:20:58 UTC
Is it time to reopen this, given that more information came to light since it was closed?
Comment 12 alk 2005-09-14 17:33:38 UTC
It is important to establish an open certificate authority.  This bug appears to have been closed for political/economic interests rather than on technical grounds.  It definitely should be reviewed.
Comment 13 George Staikos 2005-09-14 18:42:00 UTC
I'm getting sick of receiving comments about this.  It will not happen with our current system, period.  There is clearly a major inability to comprehend the trust infrastructure for SSL, and the state of the system today.  Don't expect any response from me [maintainer of the CA database] about further queries on this topic.
Comment 14 Trejkaz Xaoza 2005-09-14 23:58:16 UTC
Does there need to be another bug opened then, for the KDE project to make its system capable of comprehending trust?
Comment 15 Richard Freeman 2006-04-20 00:35:00 UTC
Has anything changed since 09/2005, or are there any plans for something to change?  It seems like KDE lacks a policy for handling such matters.
Comment 16 George Staikos 2006-04-20 06:00:49 UTC
  We have a policy, and nothing has changed.  Once a webtrust audit is 
successfully passed and it is accepted by Firefox and/or Microsoft, and looks 
suitable to us (which is the easiest of the three criteria), it may be 
accepted.
Comment 17 Richard Freeman 2006-04-20 15:31:25 UTC
Sorry - don't mean to pester.   Is the policy published?  Mozilla does not require a webtrust audit (any 3rd party will do), so you might have #1 without #2.  Obviously there are legal issues, so it might be a long time before we see  a free cert provider given the US legal system (the irony being that it is safer to go with Verisign (who has issued false certs in the past (for no less than MS), and not cacert (which would require the hijacking of a domain to spoof) - all because of an expensive 3rd-party audit).
Comment 18 George Staikos 2006-04-21 00:03:20 UTC
  The policy is that it must be in Netscape Navigator (we are using Firefox as 
an equivalent now), or in MS IE.  It has been that way for a long time, and 
was decided on mailing lists.  I am the only one with commit access to the 
database.
Comment 19 George Staikos 2006-05-19 23:24:37 UTC
*** Bug 127292 has been marked as a duplicate of this bug. ***
Comment 20 Marek Aaron Sapota 2008-09-16 22:20:04 UTC
CAcert is included in most major distributions now and used by quite many prominent sites (FSF, GNU Savannah), still KDE will just follow Microsoft? I won't object if it is rejected on technical bases, but is policy of following Microsoft the best that KDE can do? Don't want to offend anyone, it just sounds stupid to me.
Comment 21 Alain Knaff 2008-12-02 10:44:15 UTC
RapidSSL (http://www.rapidssl.com/) grants a certificate to anybody who is smart enough to buy a mobile phone with a prepaid SIM, without any authentication whatsoever. No id required, an no credit card required either, if you only need the certificate for 30 days (FreeSSL).

Yet their certificate (bearing the issuer CN "Equifax Secure Global eBusiness CA-1") is still accepted by konqueror.
For the sake of consistency, konqueror should either accept CaCert which is more secure (you need to convince at least to geeks that you are who you claim you are), or they should remove Equifax (you only need to know about prepaid mobile plans, or, for that matter phone booths which allow call in. These exist in France, and probably other places as well). IMHO, the latter is far easier to abuse.

This whole certificate business is a sad joke.