Debian is considering removing CAcert.org from its root certificate package for a couple of reasons: - It has not passed the standard Webtrust audit needed for inclusion in the major vendors' CA bundles (Mozilla, Google, Apple, MS, ...) - It has a history of serious security issues that seem to be systemic to the implementation, and there doesn't seem to be a serious emphasis on code security. - There are allegedly licensing issues associated with redistributing the root. - It does not seem to be compliant with current CA/Browser Forum best practices for security. (CAcert.org is not a member of the CA/Browser Forum.) I think it makes sense for Mageia to drop CAcert.org's root certificate, too. Take a look at http://bugs.debian.org/718434 for the discussion. In particular, please note Ansgar Burchardt's email from September 16 identifying a shell injection vulnerability in CAcert's signing code (allowing, among other things, arbitrary certificates to be signed), and please note the general quality of that codebase.... Inclusion of CAcert in Mageia dates from this Mandriva bug from 2006: https://qa.mandriva.com/show_bug.cgi?id=23171 I think Debian and downstream users of its root certificate bundle are the largest population trusting CAcert.org. That is, still, a fairly small population, and I've made some arguments in that bug report (see my post at the bottom) why it specifically doesn't make sense for a small population to carry an additional root certificate that isn't widely trusted. Furthermore, Debian's root certificates package is explicitly documented (in the package description, see http://packages.debian.org/sid/ca-certificates for example) as just being a collection of certificates with no particular statement as to whether those certificates are trustworthy to be root certs. I couldn't find a clear policy about the intention of Mageia's rootcerts package, but note that most other distributions (including Fedora and FreeBSD) have decided that they want a useful package of default root certificates, and so they've outsourced the decision to an external entity (generally Mozilla) that runs an acceptance program involving audits. No such entity has accepted CAcert. Reproducible: Steps to Reproduce:
Maybe this will happen if we migrate to Fedora's ca-certificates package. I know some of our users would be against this though, so probably needs some discussion on the dev mailing list.
Depends on: (none) => 11398CC: (none) => luigiwalser, oe
If I understand correctly, Fedora is packaging the Mozilla bundle with no additional roots -- that definitely seems like the right policy to me. See also the discussion in https://fedorahosted.org/fesco/ticket/276 about certificate vetting. Is there an open bug I can follow about switching to the Mozilla bundle? If you start a thread about CAcert on the dev mailing list, I'd appreciate being Cc'd. I definitely understand that this will be a change that affects existing folks relying on CAcert, but I think doing so, given CAcert's security posture, is a disservice to those users, and a huge disservice to users who aren't (intentionally) relying on CAcert.
Is this bug report still valid for Mageia 4 and/or Mageia 5?
Keywords: (none) => NEEDINFOHardware: i586 => All
(In reply to Geoffrey Thomas from comment #2) > If you start a thread about CAcert on the dev mailing list, I'd appreciate > being Cc'd. Feel free to be the one starting it, Geoffrey. You have as much right to post on that mailing list as anyone else. I know little about certificates, but there's ca-cert in /etc/pki/tls/rootcerts/, I assume that's the same as CAcert. [marja@localhost ~]$ ls -al /etc/pki/tls/rootcerts/ | grep ca-cert lrwxrwxrwx 1 root root 29 nov 1 16:54 99d0fa06.0 -> ca-cert-signing-authority.pem -rw-r--r-- 1 root root 8294 nov 1 16:54 ca-cert-signing-authority.pem [marja@localhost ~]$ Assigning to pkg-bugs, because there is no maintainer. Note that I don't know whether this bug should be fixed, or closed as wontfix.
Keywords: NEEDINFO => (none)CC: (none) => marja11Assignee: bugsquad => pkg-bugs
CACERT is working hard to upgrade their system with complete new software. I am not for dropping it. This is the almost the only free Cert we can get.
CC: (none) => thomas
(In reply to Thomas Spuhler from comment #5) > CACERT is working hard to upgrade their system with complete new software. I > am not for dropping it. This is the almost the only free Cert we can get. With letsencrypt launching now, that's not true anymore. Anyway, as I said before, this isn't the appropriate place to discuss this.
This was fixed a year ago, as we changed our rootcerts package to work mostly the same as Fedora's ca-certificates. It was actually fixed in pre-Mageia-8 Cauldron slightly earlier than that.
Status: NEW => RESOLVEDResolution: (none) => FIXED