Re: ca-certificates: no more cacert.org certificates?!?

[Guido Günther <agx@sigxcpu.org>]

Hi,
On Mon, Mar 31, 2014 at 04:03:30PM -0700, Russ Allbery wrote:
> Brian May <brian@microcomaustralia.com.au> writes:
> > On 1 April 2014 04:42, Marc Haber <mh+debian-devel@zugschlus.de> wrote:
> 
> >> cacert.org is unuseable if you offer your web site to muggles. It's
> >> not in the browsers.
> 
> > Not sure what you mean. cacert.org is unusable at the moment because it
> > isn't included in the browsers. Which is the problem we were discussing
> > in this thread.
> 
> But nothing Debian does one way or the other is going to get cacert.org's
> root certificates into the general end-user browsers.  So that's a reality
> that we're going to have to continue to live with.
> 
> Given that reality, it's not clear to me that cacert.org certificates
> really have much of an advantage for most use cases over self-signed
> certificates.

AFAIK in Debian we currently don't offer a simple way to run your own CA
with a webgui, autoreminder of expiry, etc. Having Cacert in
ca-certificates was a great way to cater for that without any extra
setup hazzle. 

I still don't see why we penalize Debian users for the fact that _other_
operating systems don't include the cacert certificate.

Cheers, 
 -- Guido