Ubuntu
evolution package

Bug #232340
Comment #134

Comment 134 for bug 232340

Revision history for this message

In Mozilla Bugzilla #215243, Phr-mozilla (phr-mozilla) wrote on 2006-04-28:

#134

I got here by way of visiting a site using a cacert.org certificate, then trying to figure out what the heck kind of assurance such a certificate provides. After something like an hour of surfing around the cacert.org site, I haven't found an answer. There is no way I'm going to install the cacert.org root in my browser under these circumstances and I certainly wouldn't want MF installing it by default.

Nelson Bolyard's comments on this thread are well taken, as are others that expressed severe reservation towards those advocating opening up the Mozilla distro's default CA root store to contamination by any dweeb with a PC calling himself a CA. AIPCA audit is probably the right way to do this. There has to be not only technical evaluation of the CA, but also of its financial resources, to attest that it can incur liability if something goes wrong. That really means this is the wrong business for a small nonprofit to be in.

The story about someone fooling Verisign is overblown: it's a "dog bites man" story. And as I remember, the root that signed that cert (it was an IE code signing cert so it didn't affect NS) got replaced in the next IE update, which may have been pushed out early. I have no idea how much (if anything) Verisign paid Microsoft to make that replacement happen, but if I have to guess I'd say "a lot". Is Cacert ready to do that if it finds that it issued a bogus cert?

I agree with whoever said that Mozilla and Firefox's credibility will be shot if it installs this root in the current state of things. I dislike the relentless advocacy of the cacert.org ideologues pressing for inclusion. Cacert doesn't seem to operate at the level of the commercial ca's, even the cheesy ones like InstantSSL. It's at about the level of a typical in-house CA, which normally would put its root into a small set of browsers (those used only by people in the organization with the CA), not spread far and wide into the general browser population, presenting a huge target.

Also, the "included but disabled" notion is silly, as others have described. Importing a .crt file is no big deal technically--the scary part is the warning dialogs describing the extremely dangerous operation in process, and those should NOT be toned down. Any "enable the included disabled cert" dialog should be equally scary, and therefore inclusion without enablement does nothing.

I've been getting FreeSSL certificates (low end brand of Geotrust), now a root but formerly chained to the Equifax root, for $15/year, which I find pretty affordable. If cacert's certs are ever going to be anything other than free, there's not much point to cacert's existence.

I got here by way of visiting a site using a cacert.org certificate, then trying to figure out what the heck kind of assurance such a certificate provides.  After something like an hour of surfing around the cacert.org site, I haven't found an answer.  There is no way I'm going to install the cacert.org root in my browser under these circumstances and I certainly wouldn't want MF installing it by default.

Nelson Bolyard's comments on this thread are well taken, as are others that expressed severe reservation towards those advocating opening up the Mozilla distro's default CA root store to contamination by any dweeb with a PC calling himself a CA.  AIPCA audit is probably the right way to do this.  There has to be not only technical evaluation of the CA, but also of its financial resources, to attest that it can incur liability if something goes wrong.  That really means this is the wrong business for a small nonprofit to be in.

The story about someone fooling Verisign is overblown: it's a "dog bites man" story.  And as I remember, the root that signed that cert (it was an IE code signing cert so it didn't affect NS) got replaced in the next IE update, which may have been pushed out early.  I have no idea how much (if anything) Verisign paid Microsoft to make that replacement happen, but if I have to guess I'd say "a lot".  Is Cacert ready to do that if it finds that it issued a bogus cert?

I agree with whoever said that Mozilla and Firefox's credibility will be shot if it installs this root in the current state of things.  I dislike the relentless advocacy of the cacert.org ideologues pressing for inclusion.  Cacert doesn't seem to operate at the level of the commercial ca's, even the cheesy ones like InstantSSL.  It's at about the level of a typical in-house CA, which normally would put its root into a small set of browsers (those used only by people in the organization with the CA), not spread far and wide into the general browser population, presenting a huge target.

Also, the "included but disabled" notion is silly, as others have described.  Importing a .crt file is no big deal technically--the scary part is the warning dialogs describing the extremely dangerous operation in process, and those should NOT be toned down.  Any "enable the included disabled cert" dialog should be equally scary, and therefore inclusion without enablement does nothing.

I've been getting FreeSSL certificates (low end brand of Geotrust), now a root but formerly chained to the Equifax root, for $15/year, which I find pretty affordable.  If cacert's certs are ever going to be anything other than free, there's not much point to cacert's existence.

Ubuntuevolution package

Comment 134 for bug 232340

Ubuntu
evolution package