CAcert should not be trusted by default

Bug #1258286 reported by Luke Faraone on 2013-12-05
24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
ca-certificates-java (Debian)
Fix Released
Unknown
ca-certificates-java (Ubuntu)
High
Marc Deslauriers
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
High
Marc Deslauriers
nss (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

Ubuntu is one of the few distributions shipping CAcert as a trusted certificate. Many distributions are considering[1] whether to remove CAcert, and Mozilla closed the RFE[2] for CAcert in 2008, which was opened in 2003.

Concerns were expressed about CAcert's code quality[3], and their audit appears to be stalled.

In the past, it appears that Ubuntu disabled[4] CAcert, but this is no longer the case. It may be wise to do so again.

[1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#50
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=215243
[3]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#45
[4]: http://wiki.cacert.org/InclusionStatus?highlight=Ubuntu

Changed in ca-certificates (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu2

---------------
ca-certificates (20130906ubuntu2) trusty; urgency=medium

  * No longer ship cacert.org certificates. (LP: #1258286)
 -- Marc Deslauriers <email address hidden> Wed, 19 Feb 2014 15:57:25 -0500

Changed in ca-certificates (Ubuntu Trusty):
status: New → Fix Released
Michael Shuler (mshuler) wrote :

Was CAcert dropped from NSS in Ubuntu?

Marc Deslauriers (mdeslaur) wrote :

Not yet, no. But it will be.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.15.4-1ubuntu6

---------------
nss (2:3.15.4-1ubuntu6) trusty; urgency=medium

  * No longer ship cacert.org certificates. (LP: #1258286)
    - removed debian/patches/95_add_spi+cacert_ca_certs.patch
    - added debian/patches/95_add_spi_certs.patch
 -- Marc Deslauriers <email address hidden> Thu, 20 Feb 2014 07:38:51 -0500

Changed in nss (Ubuntu Trusty):
status: New → Fix Released
Changed in ca-certificates (Debian):
status: New → Fix Committed
Changed in ca-certificates (Debian):
status: Fix Committed → Fix Released
Matthias Klose (doko) wrote :

the removal breaks the ca-certificates-java build. should be fixed for all active releases.

Changed in ca-certificates-java (Ubuntu Trusty):
importance: Undecided → High
milestone: none → ubuntu-14.04-beta-2
status: New → Confirmed
tags: added: ftbfs
Changed in ca-certificates-java (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ca-certificates-java (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates-java - 20130815ubuntu1

---------------
ca-certificates-java (20130815ubuntu1) trusty; urgency=medium

  * UpdatesCertificatesTest.java: Fix ftbfs by swapping out the no longer
    shipped cacert.org certificate with a Thawte one. (LP: #1258286)
 -- Marc Deslauriers <email address hidden> Thu, 20 Mar 2014 07:41:31 -0400

Changed in ca-certificates-java (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in ca-certificates-java (Debian):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu0.13.10.1

---------------
ca-certificates (20130906ubuntu0.13.10.1) saucy-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 17:04:56 -0500

Changed in ca-certificates (Ubuntu Saucy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu0.12.04.1

---------------
ca-certificates (20130906ubuntu0.12.04.1) precise-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 17:39:43 -0500

Changed in ca-certificates (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu0.10.04.1

---------------
ca-certificates (20130906ubuntu0.10.04.1) lucid-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265, LP: #1271357):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - No longer ship expired brasil.gov.br certificates
    - No longer ship expired signet.pl certificates
    - No longer ship gouv.fr certificates, now part of mozilla bundle
    - No longer ship telesec.de certificates, now part of mozilla bundle
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Fri, 07 Feb 2014 13:58:53 -0500

Changed in ca-certificates (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ca-certificates - 20130906ubuntu0.12.10.1

---------------
ca-certificates (20130906ubuntu0.12.10.1) quantal-security; urgency=medium

  * Update ca-certificates database to 20130906 (LP: #1257265):
    - backport changes from the Ubuntu 14.04 20130906ubuntu1 package
    - No longer ship cacert.org certificates (LP: #1258286)
    - No longer ship obsolete debconf.org certificates
    - mozilla/certdata2pem.py: Work around openssl issue by shipping both
      versions of the same signed roots. Previously, the script would
      simply overwrite the first one found in the certdata.txt with the
      later one since they both have the same CKA_LABEL, resulting in
      identical filenames. (LP: #1014640, LP: #1031333)
 -- Marc Deslauriers <email address hidden> Thu, 06 Feb 2014 17:23:27 -0500

Changed in ca-certificates (Ubuntu Quantal):
status: New → Fix Released
Changed in ca-certificates-java (Debian):
status: Fix Committed → Fix Released
luckyrings (d8f2) wrote :

Sorry guy, I just have to comment. I am asking again, why should CAcert be removed? The reason why it should be removed is just because of unprooven cncerns about CAcert's code quality and the audit which appears to be stalled? I guess that Ubuntu responsible should contact CAcert to get invitation in their internal auditation process first before doing so. And generally I have to add again. If this is the only reason, then should be also removed the other CA Certificates which use also dubious methods for providing certificates or have weak identification checks for customers.

I am part of cacert community and access enginer for cacert and i also want to know wath the reason is for removing cacert certificates.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.15.4-0ubuntu0.12.04.2

---------------
nss (3.15.4-0ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect IDNA wildcard handling
    - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
      nss/lib/certdb/certdb.c.
    - CVE-2014-1492
  * No longer ship cacert.org certificates. (LP: #1258286)
    - removed debian/patches/95_add_spi+cacert_ca_certs.patch
    - added debian/patches/95_add_spi_certs.patch
 -- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:22:10 -0400

Changed in nss (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.15.4-0ubuntu0.12.10.2

---------------
nss (3.15.4-0ubuntu0.12.10.2) quantal-security; urgency=medium

  * SECURITY UPDATE: incorrect IDNA wildcard handling
    - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
      nss/lib/certdb/certdb.c.
    - CVE-2014-1492
  * No longer ship cacert.org certificates. (LP: #1258286)
    - removed debian/patches/95_add_spi+cacert_ca_certs.patch
    - added debian/patches/95_add_spi_certs.patch
 -- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:21:09 -0400

Changed in nss (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.15.4-0ubuntu0.13.10.2

---------------
nss (2:3.15.4-0ubuntu0.13.10.2) saucy-security; urgency=medium

  * SECURITY UPDATE: incorrect IDNA wildcard handling
    - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
      nss/lib/certdb/certdb.c.
    - CVE-2014-1492
  * No longer ship cacert.org certificates. (LP: #1258286)
    - removed debian/patches/95_add_spi+cacert_ca_certs.patch
    - added debian/patches/95_add_spi_certs.patch
 -- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:19:23 -0400

Changed in nss (Ubuntu Saucy):
status: New → Fix Released
Changed in nss (Ubuntu Lucid):
status: New → Invalid
Changed in ca-certificates-java (Ubuntu Precise):
status: New → Invalid
Changed in ca-certificates-java (Ubuntu Lucid):
status: New → Invalid
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in ca-certificates-java (Ubuntu Quantal):
status: New → Won't Fix
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in ca-certificates-java (Ubuntu Saucy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.