* Gervase Markham (gerv@mozilla.org) wrote: > Eric Dorland wrote: > >But I don't think it's good for our users for Debian to have rights > >that the user don't have. > > Debian already has rights that their users don't have, the most > prominent among them being to label a Linux distribution as "Debian" (or > "official Debian", or whatever it is you guys use). :-) When I said rights, I meant rights to the software in main. That's what Debian cares about. I should of been more clear. > >They do have concerns about the trustability of CAcert certs. I'm > >mostly convinced they're no worse than other CA's. > > What we have a problem with (in the context of including the cert in > Firefox) is the fact that CAcert haven't been audited, so the risk of > including them is unquantifiable. Please see the CAcert list for recent > discussions on this topic. Can you please point me to the document where you went and verified that all your current CA's have been audited and met your CA policy? > Eric Dorland wrote in another thread: > > Will the add the SPI root CA to their root CA list? It's pretty Debian > > specific, so I doubt it. > > There are two ways we could go about this. The first is for the MoFo to > have a list of CAs who meet the CA policy[0] in all other ways except > that they are too specific to go into the general Firefox build. These > could then be included by any distributor at will. Here's another situation you might want to consider. What if Debian decided one of your CA's was not trustworthy and removed it? Would that be grounds for losing the trademark? > The difficulty with that is that currently we don't have time to > evaluate the requests of all the CAs requesting general distribution, > let alone ones we aren't going to include ourselves. > > The second is for Debian to show us their policy on how they decide > whether a CA is trustworthy, and we say "yes, taking everything into > account, that policy is OK with us" and then we let you guys get on with > it. But to attempt this, I need to see the policy :-) Frankly, when someone uses Debian, they're implicitly trusting our security decisions. We can root their boxes. I'm not eager to defer our decisions on what CA's we consider secure to the MoFo. Maybe Fumitoshi-san feels differently. > [0] http://www.hecker.org/mozilla/ca-certificate-policy -- Eric Dorland <eric.dorland@mail.mcgill.ca> ICQ: #61138586, Jabber: hooty@jabber.com 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
Attachment:
signature.asc
Description: Digital signature