Re: ca-certificates: no more cacert.org certificates?!?

To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Russ Allbery <rra@debian.org>
Date: Mon, 31 Mar 2014 16:03:30 -0700
Message-id: <[🔎] 87ha6edl8d.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] CAA0ZO6AO4hhqarT7w5qoT=ZrmRAWZhXjsV6dLYidtrox-RtJaA@mail.gmail.com> (Brian May's message of "Tue, 1 Apr 2014 09:47:03 +1100")
References: <[🔎] 1547064.xn0OUe3ytz@debstor> <[🔎] 1722468.nyLnYD01gx@debstor> <[🔎] E1WSSLo-0008MK-1v@swivel.zugschlus.de> <[🔎] 10992188.hDEB1a5xIj@debstor> <[🔎] E1WTnPJ-00036G-HY@swivel.zugschlus.de> <[🔎] CAA0ZO6BWQ3nCvu5iTrygH1mcSz1qXrX8o31unNKctoL-0Ui=Qw@mail.gmail.com> <[🔎] E1WU9CM-0003tw-7F@swivel.zugschlus.de> <[🔎] CAA0ZO6C_pAMg12131_Xbau02r5ypK-_PZBEazJhttTHmYw7Kcg@mail.gmail.com> <[🔎] E1WUgDq-0001Ao-0Z@swivel.zugschlus.de> <[🔎] CAA0ZO6AO4hhqarT7w5qoT=ZrmRAWZhXjsV6dLYidtrox-RtJaA@mail.gmail.com>

Brian May <brian@microcomaustralia.com.au> writes:
> On 1 April 2014 04:42, Marc Haber <mh+debian-devel@zugschlus.de> wrote:

>> cacert.org is unuseable if you offer your web site to muggles. It's
>> not in the browsers.

> Not sure what you mean. cacert.org is unusable at the moment because it
> isn't included in the browsers. Which is the problem we were discussing
> in this thread.

But nothing Debian does one way or the other is going to get cacert.org's
root certificates into the general end-user browsers.  So that's a reality
that we're going to have to continue to live with.

Given that reality, it's not clear to me that cacert.org certificates
really have much of an advantage for most use cases over self-signed
certificates.

Of course, I'm one of those people who believes that web site certificate
signatures as currently implemented, with the level of vetting that's
actually done by commercial CAs in practice, are more of an extortion
racket than a security measure.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Brian May <brian@microcomaustralia.com.au>

Prev by Date: Re: ca-certificates: no more cacert.org certificates?!?
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Keysigning, Tues., March 25, Blacksburg, Virginia
Index(es):
- Date
- Thread