On 09/09/2013 03:19 AM, Pavel Volkov wrote: > On Mon, Sep 9, 2013 at 6:05 AM, Michael Orlitzky <mich...@orlitzky.com > <mailto:mich...@orlitzky.com>> wrote: > > The CA infrastructure was never secure. It exists to transfer money away > from website owners and into the bank accounts of the CAs and browser > makers. Security may be one of their goals, but it's certainly not the > motivating one. > > > Well, at least CAcert doesn't exist for money. >
You sort of make my point for me: If you want to access a website that uses a SSL certificate signed by CAcert, you might get an SSL warning. We are sorry, but currently that's still 'normal' as mainstream browsers don't automatically include the CAcert Root Certificate yet. [1] So, CACert certificates don't eliminate the browser warning, which is the only reason you would ever pay for a certificate in the first place. But why don't browsers include CACert? Traditionally vendors seeking to have their root certificates included in browsers (directly or via the underlying OS infrastructure like Safari via OS X's Keychain) would have to seek an expensive Webtrust audit (~$75,000 up-front plus ~$10,000 per year). [2] They don't pay up! So I wouldn't include CACert in my blanket statement, but they're not really part of the CA infrastructure and you might as well use a self-signed cert instead if you're gonna get a warning anyway. > I've got a question about Gentoo in this case. If we assume that stage3 > is trusted, does portage check that mirrors are trusted? No. There's a GLEP for some of these issues: https://www.gentoo.org/proj/en/glep/glep-0057.html The relevant part is, ...any non-Gentoo controlled rsync mirror can modify executable code; as much of this code is per default run as root a malicious mirror could compromise hundreds of systems per day - if cloaked well enough, such an attack could run for weeks before being noticed. [1] http://wiki.cacert.org/FAQ/BrowserClients [2] http://wiki.cacert.org/InclusionStatus
