Re: ca-certificates: no more cacert.org certificates?!?
- To: Russ Allbery <rra@debian.org>
- Cc: debian-devel@lists.debian.org
- Subject: Re: ca-certificates: no more cacert.org certificates?!?
- From: Guido Günther <agx@sigxcpu.org>
- Date: Tue, 1 Apr 2014 07:20:45 +0200
- Message-id: <[🔎] 20140401052045.GA2552@bogon.m.sigxcpu.org>
- Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Russ Allbery <rra@debian.org>, debian-devel@lists.debian.org
- In-reply-to: <87ha6edl8d.fsf@windlord.stanford.edu>
- References: <1722468.nyLnYD01gx@debstor> <E1WSSLo-0008MK-1v@swivel.zugschlus.de> <10992188.hDEB1a5xIj@debstor> <E1WTnPJ-00036G-HY@swivel.zugschlus.de> <CAA0ZO6BWQ3nCvu5iTrygH1mcSz1qXrX8o31unNKctoL-0Ui=Qw@mail.gmail.com> <E1WU9CM-0003tw-7F@swivel.zugschlus.de> <CAA0ZO6C_pAMg12131_Xbau02r5ypK-_PZBEazJhttTHmYw7Kcg@mail.gmail.com> <E1WUgDq-0001Ao-0Z@swivel.zugschlus.de> <CAA0ZO6AO4hhqarT7w5qoT=ZrmRAWZhXjsV6dLYidtrox-RtJaA@mail.gmail.com> <87ha6edl8d.fsf@windlord.stanford.edu>
Hi,
On Mon, Mar 31, 2014 at 04:03:30PM -0700, Russ Allbery wrote:
> Brian May <brian@microcomaustralia.com.au> writes:
> > On 1 April 2014 04:42, Marc Haber <mh+debian-devel@zugschlus.de> wrote:
>
> >> cacert.org is unuseable if you offer your web site to muggles. It's
> >> not in the browsers.
>
> > Not sure what you mean. cacert.org is unusable at the moment because it
> > isn't included in the browsers. Which is the problem we were discussing
> > in this thread.
>
> But nothing Debian does one way or the other is going to get cacert.org's
> root certificates into the general end-user browsers. So that's a reality
> that we're going to have to continue to live with.
>
> Given that reality, it's not clear to me that cacert.org certificates
> really have much of an advantage for most use cases over self-signed
> certificates.
AFAIK in Debian we currently don't offer a simple way to run your own CA
with a webgui, autoreminder of expiry, etc. Having Cacert in
ca-certificates was a great way to cater for that without any extra
setup hazzle.
I still don't see why we penalize Debian users for the fact that _other_
operating systems don't include the cacert certificate.
Cheers,
-- Guido
Reply to: