Eric Dorland wrote:
But I don't think it's good for our users for Debian to have rights that the user don't have.
Debian already has rights that their users don't have, the most prominent among them being to label a Linux distribution as "Debian" (or "official Debian", or whatever it is you guys use). :-)
They do have concerns about the trustability of CAcert certs. I'mmostly convinced they're no worse than other CA's.
What we have a problem with (in the context of including the cert in Firefox) is the fact that CAcert haven't been audited, so the risk of including them is unquantifiable. Please see the CAcert list for recent discussions on this topic.
Eric Dorland wrote in another thread: > Will the add the SPI root CA to their root CA list? It's pretty Debian > specific, so I doubt it.There are two ways we could go about this. The first is for the MoFo to have a list of CAs who meet the CA policy[0] in all other ways except that they are too specific to go into the general Firefox build. These could then be included by any distributor at will.
The difficulty with that is that currently we don't have time to evaluate the requests of all the CAs requesting general distribution, let alone ones we aren't going to include ourselves.
The second is for Debian to show us their policy on how they decide whether a CA is trustworthy, and we say "yes, taking everything into account, that policy is OK with us" and then we let you guys get on with it. But to attempt this, I need to see the policy :-)
Gerv [0] http://www.hecker.org/mozilla/ca-certificate-policy