Bug 11665

Summary: Please remove CAcert.org certificate from rootcerts
Product: Mageia Reporter: Geoffrey Thomas <mageia>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, marja11, oe, thomas
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/718434
Whiteboard:
Source RPM: rootcerts-20130411.00-2.mga4.src.rpm CVE:
Status comment:
Bug Depends on: 11398    
Bug Blocks:    

Description Geoffrey Thomas 2013-11-13 21:06:45 CET 
Debian is considering removing CAcert.org from its root certificate package for a couple of reasons:
- It has not passed the standard Webtrust audit needed for inclusion in the major vendors' CA bundles (Mozilla, Google, Apple, MS, ...)
- It has a history of serious security issues that seem to be systemic to the implementation, and there doesn't seem to be a serious emphasis on code security.
- There are allegedly licensing issues associated with redistributing the root.
- It does not seem to be compliant with current CA/Browser Forum best practices for security. (CAcert.org is not a member of the CA/Browser Forum.)
I think it makes sense for Mageia to drop CAcert.org's root certificate, too.

Take a look at http://bugs.debian.org/718434 for the discussion. In particular, please note Ansgar Burchardt's email from September 16 identifying a shell injection vulnerability in CAcert's signing code (allowing, among other things, arbitrary certificates to be signed), and please note the general quality of that codebase....

Inclusion of CAcert in Mageia dates from this Mandriva bug from 2006: https://qa.mandriva.com/show_bug.cgi?id=23171

I think Debian and downstream users of its root certificate bundle are the largest population trusting CAcert.org. That is, still, a fairly small population, and I've made some arguments in that bug report (see my post at the bottom) why it specifically doesn't make sense for a small population to carry an additional root certificate that isn't widely trusted.

Furthermore, Debian's root certificates package is explicitly documented (in the package description, see http://packages.debian.org/sid/ca-certificates for example) as just being a collection of certificates with no particular statement as to whether those certificates are trustworthy to be root certs. I couldn't find a clear policy about the intention of Mageia's rootcerts package, but note that most other distributions (including Fedora and FreeBSD) have decided that they want a useful package of default root certificates, and so they've outsourced the decision to an external entity (generally Mozilla) that runs an acceptance program involving audits. No such entity has accepted CAcert.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-13 22:10:48 CET 
Maybe this will happen if we migrate to Fedora's ca-certificates package.  I know some of our users would be against this though, so probably needs some discussion on the dev mailing list.

Depends on: (none) => 11398
CC: (none) => luigiwalser, oe

Comment 2 Geoffrey Thomas 2013-11-17 01:01:59 CET 
If I understand correctly, Fedora is packaging the Mozilla bundle with no additional roots -- that definitely seems like the right policy to me. See also the discussion in https://fedorahosted.org/fesco/ticket/276 about certificate vetting. Is there an open bug I can follow about switching to the Mozilla bundle?

If you start a thread about CAcert on the dev mailing list, I'd appreciate being Cc'd. I definitely understand that this will be a change that affects existing folks relying on CAcert, but I think doing so, given CAcert's security posture, is a disservice to those users, and a huge disservice to users who aren't (intentionally) relying on CAcert.
Comment 3 Samuel Verschelde 2015-05-17 01:09:46 CEST 
Is this bug report still valid for Mageia 4 and/or Mageia 5?

Keywords: (none) => NEEDINFO
Hardware: i586 => All

Comment 4 Marja Van Waes 2015-11-30 14:48:07 CET 
(In reply to Geoffrey Thomas from comment #2)

> If you start a thread about CAcert on the dev mailing list, I'd appreciate
> being Cc'd. 

Feel free to be the one starting it, Geoffrey. You have as much right to post on that mailing list as anyone else.

I know little about certificates, but there's ca-cert in /etc/pki/tls/rootcerts/, I assume that's the same as CAcert.

[marja@localhost ~]$ ls -al /etc/pki/tls/rootcerts/ | grep ca-cert
lrwxrwxrwx 1 root root    29 nov  1 16:54 99d0fa06.0 -> ca-cert-signing-authority.pem
-rw-r--r-- 1 root root  8294 nov  1 16:54 ca-cert-signing-authority.pem
[marja@localhost ~]$ 

Assigning to pkg-bugs,  because there is no maintainer.

Note that I don't know whether this bug should be fixed, or closed as wontfix.

Keywords: NEEDINFO => (none)
CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 5 Thomas Spuhler 2015-12-21 15:20:33 CET 
CACERT is working hard to upgrade their system with complete new software. I am not for dropping it. This is the almost the only free Cert we can get.

CC: (none) => thomas

Comment 6 David Walser 2015-12-21 16:21:18 CET 
(In reply to Thomas Spuhler from comment #5)
> CACERT is working hard to upgrade their system with complete new software. I
> am not for dropping it. This is the almost the only free Cert we can get.

With letsencrypt launching now, that's not true anymore.  Anyway, as I said before, this isn't the appropriate place to discuss this.
Comment 7 David Walser 2021-07-03 20:44:02 CEST 
This was fixed a year ago, as we changed our rootcerts package to work mostly the same as Fedora's ca-certificates.  It was actually fixed in pre-Mageia-8 Cauldron slightly earlier than that.

Status: NEW => RESOLVED
Resolution: (none) => FIXED