| Summary: | Include CAcert root certificate | ||
|---|---|---|---|
| Product: | [Frameworks and Libraries] kio | Reporter: | Kjetil Kjernsmo <kjetil> |
| Component: | kssl | Assignee: | George Staikos <staikos> |
| Status: | CLOSED INTENTIONAL | ||
| Severity: | wishlist | CC: | brainstorm, bruno+mozilla, duane, evaldo, goldenear, jkt, kai.kasurinen, kde, manfred, matija, matthewa, projects.gg.aaron, rich, sam, Sascha-bugs.kde.org, support, trejkaz |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Debian stable | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
|
Description
Kjetil Kjernsmo
2004-02-05 22:51:23 UTC
It's also relivant to view the news://news.mozilla.org/netscape.public.mozilla.crypto newsgroup as well, as the discussion moved from their bug to the news discussion. Afaik Mozilla has still not accepted it, and I don't have enough information or resources to accept it yet either. This will have to wait until one of the two aforementioned situations change. What information do you require? Check http://www.onlamp.com/pub/wlg/5142 . Lets fix this bug. Still not in IE or Mozilla? Nope. I think we can forget about IE. With IE, it is just about the stamp from American Institute of Certified Public Accountants, which is expensive. Mozilla Foundation may develop an independent policy, which KDE may or may not want to follow. I don't know the status of that work. It is definately a policy question this, so it is possible that the KDE Project should formulate its own policy, but it is a difficult issue. *** This bug has been confirmed by popular vote. *** Based on discussions with people involved in CAcert, we have decided that this won't happen. There are apparently transparency problems with this "open" CA. http://article.gmane.org/gmane.comp.security.cacert/1378 http://article.gmane.org/gmane.comp.security.cacert/1186 I consider this case closed. Ahem, two months have passed, and I believe many of the "transparence problems" have since been resolved. A new board has been elected and the code on which cacert.org is based has been opened for inspection. while cryptography is an especially sensitive issue at all times, and transparency always is a main issue in cryptography; just how transparent are institutions such as verisign and thawte? *Can We Trust Them?* I would like to ask the more knowledgable than myself to re-inspect the situation at cacert.org and re-open this case As of 20050518, CAcert is included in debian ca-certificates package, as shown in http://packages.debian.org/changelogs/pool/main/c/ca-certificates/ca-certificates_20050518/changelog [quote] add CACert.org's Root CA closes: Bug#213086, Bug#288293 [/quote] Getting accepted by debian might mean something about trust. Also, about Comment #9, these links are handy: http://www.verisign.com/developer/notice/authenticode/index.html http://www.eweek.com/article2/0,1759,1767871,00.asp And surprisingly: http://www.benedelman.org/spyware/images/installers-020305.html Paying for certificates does not add extra security, it seems :) Is it time to reopen this, given that more information came to light since it was closed? It is important to establish an open certificate authority. This bug appears to have been closed for political/economic interests rather than on technical grounds. It definitely should be reviewed. I'm getting sick of receiving comments about this. It will not happen with our current system, period. There is clearly a major inability to comprehend the trust infrastructure for SSL, and the state of the system today. Don't expect any response from me [maintainer of the CA database] about further queries on this topic. Does there need to be another bug opened then, for the KDE project to make its system capable of comprehending trust? Has anything changed since 09/2005, or are there any plans for something to change? It seems like KDE lacks a policy for handling such matters. We have a policy, and nothing has changed. Once a webtrust audit is successfully passed and it is accepted by Firefox and/or Microsoft, and looks suitable to us (which is the easiest of the three criteria), it may be accepted. Sorry - don't mean to pester. Is the policy published? Mozilla does not require a webtrust audit (any 3rd party will do), so you might have #1 without #2. Obviously there are legal issues, so it might be a long time before we see a free cert provider given the US legal system (the irony being that it is safer to go with Verisign (who has issued false certs in the past (for no less than MS), and not cacert (which would require the hijacking of a domain to spoof) - all because of an expensive 3rd-party audit). The policy is that it must be in Netscape Navigator (we are using Firefox as an equivalent now), or in MS IE. It has been that way for a long time, and was decided on mailing lists. I am the only one with commit access to the database. *** Bug 127292 has been marked as a duplicate of this bug. *** CAcert is included in most major distributions now and used by quite many prominent sites (FSF, GNU Savannah), still KDE will just follow Microsoft? I won't object if it is rejected on technical bases, but is policy of following Microsoft the best that KDE can do? Don't want to offend anyone, it just sounds stupid to me. RapidSSL (http://www.rapidssl.com/) grants a certificate to anybody who is smart enough to buy a mobile phone with a prepaid SIM, without any authentication whatsoever. No id required, an no credit card required either, if you only need the certificate for 30 days (FreeSSL). Yet their certificate (bearing the issuer CN "Equifax Secure Global eBusiness CA-1") is still accepted by konqueror. For the sake of consistency, konqueror should either accept CaCert which is more secure (you need to convince at least to geeks that you are who you claim you are), or they should remove Equifax (you only need to know about prepaid mobile plans, or, for that matter phone booths which allow call in. These exist in France, and probably other places as well). IMHO, the latter is far easier to abuse. This whole certificate business is a sad joke. |