Re: CAcert.org's inclusion into IceCat

[Reed Loden]

On Mon, 06 Oct 2008 13:20:17 +0200
Giuseppe Scrivano <address@hidden> wrote:

> Thank you for pointing this problem out, but I think some points were
> a bit exagerated, how we can say the private key were to be leaked
> out?

I don't think it's that much of a stretch to consider the implications
if CAcert.org's private key were to get out. It's publicly known that
CAcert.org has had times in its history where the security of its root
cannot be verified. They are working to correct these problems by
moving to a new secure datacenter to house the private key(s) and the
CA root itself, but until they get to a point where they are 100% sure
that their root is secure and their private key(s) haven't been
compromised at any time, CAcert.org should not be added to the CA root
repository.

Do note that I mentioned many other problems besides just the possible
issues concerning CAcert.org's private key. Please re-read my mail and
consider all the different issues at hand here.

> Differently from other CAs their source code is GPL'ed and you can get
> it here: http://www.cacert.org/src-lic.php.
> From my point of view, it gives users more freedom as you can look
> directly at its source code and how it works, do you know of any case
> that CAcert showed to don't be trustable?  Are audits really so
> important when the software they use is Free?

Just because CAcert.org's source code is GPL'd doesn't mean it's any
more secure. I could set up a CA myself, and if I don't protect both
the hardware and the software (including the operating system) of the
machine(s) that host my CA's private key, it does me no good that the
CA-specific software is GPL'd. Having one package "secure" on a box
doesn't mean the other thousands of packages used to create that box
are secure, too. Free software != always secure.

> I agree with you that the first goal of a SSL certificate is to make
> sure the site you are visiting is really what you requested and safe
> browsing for IceCat users is a very important thing.
> On this ML we discussed the possibility to treat self-signed
> certificates differently than Firefox but now I disagree with this
> idea because I consider the SSL connection itself in second place to
> be sure the resource you got is exactly from whom you wanted.

I would hope you wouldn't ever make self-signed SSL certificates treated
as trusted by default. I would consider that even worse than adding the
CAcert.org root, as anybody can create self-signed SSL certificates, so
your users would never know if a certificate is truly valid for the
site they are visiting. Firefox 3 did a great service to the Internet,
imho, by making SSL errors more difficult to get around, as sites need
to use valid SSL certificates that are configured properly. Users
shouldn't be trained to just ignore warnings and click-through anyway.

SSL certificates are more than just security (encryption). They also
imply a level of identity (validity), which Firefox 3 has tried to make
better understood by users so that the different levels of SSL
certificates can be treated differently depending on their uses and so
that security is put above anything else, including ease/accessibility.
In today's world, security should be at the top of our priority list.

> Surely I am going to consider it with an open mind, I think to don't
> have prejudices of any sort :)

I'm glad you're considering this with an open mind like I ask, but
please make sure you consider all the problems CAcert.org currently
has, not just a chosen few. I really do believe CAcert.org will get to
the point in the future where it can be trusted and widely used, but
now is not that time. CAcert.org still has a long way to go until it
has proven its security and can be trusted as much as a normal CA.

~reed

-- 
Reed Loden - <address@hidden> / <address@hidden>
The GNU Project [gnu.org]
Free Software Foundation [fsf.org]