Am 13.03.2014 um 17:21 schrieb Christoph Anton Mitterer <[email protected]>:

> I doubt that the removal of CAcert was a good decision…


I wish you would have read the whole the bug report, especially the history
of how the CACert root certificate came into ca-certificates.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#20 and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#30

In a nutshell, if you want CACert to be re-added you must prove
CACert and its infrastructure is trustworthy.
Something CACert has attempted but even their internal audits have failed.

ca-certificates didn’t have much of a policy until recently, but giving that
a good, secure policy can take quite some work, relying on Mozilla
is a sensible policy. Plus that SPI root cert, but they run debian 
infrastructure.

Please do not reason against the removal, instead you have to
prove (every year in my eyes) that CACert is trustworthy.
Inverting the burden of proof, as it has happended far to often
in these CACert discussions, is unacceptable when talking about security.
A small question to be added and a few people supporting the
request just won’t pull any longer.

Please stop dragging other CAs around for comparison, every CA has to
prove trustworthiness on their own.

ciao, tom


PS: Lastly, this is not an opinion poll. If your only contrib is a +/-1,
close your mail programm.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to